Social Engineering (Human Hacking): How The Predator Gains Information:
Social Engineering is how an Internet predator will use personal information that they data harvest on-line about you, to use to their advantage for criminal, personal, sexual, or financial benefit. Often this information is obtained from Chat Room dialogues, Social Networks, Blogs and search engines such as Google or www.pipl.com . In an interesting 2011 article from one of the largest Internet security companies in the world, AVG, reported that on-line users are more than “four times likely to come into contact with social engineering tactics as opposed to a site serving up an I.T. exploit. Why because criminals know that humans are usually the weakest link in the security chain”. As an example of how an Internet Predator will Social Engineer a Social Network, here is a fictitious Profile that has “TMI” (internet chat abbreviation for “Too Much Information”) that was posted on the MSNBC web site as a learning tool
Many Social Networking sites, such as Facebook, Google + and MySpace look very similar to the above noted hypothetical “Yerplace” site, and often, much like the above noted example, offer too much information that can be used by a potential predator to socially engineer a potential target. So let’s look a little closer at some of the less than desirable information that is contained in this example, which can be easily exploited and socially engineered to build rapport by a predator:
Listing your school location and year gives a predator an idea of where you live, as well as a clue as to your age. In this posting Jane posted that she is in junior high, revealing that she is actually younger than the 16 years of age that she had posted in her “Basic” information field.
Jane listed her afterschool job, and even the location where she works. When this information is combined with the picture that is provided of Jane, it makes it easier for a potential predator/stalker to track Jane down.
The Ultimate Survey:
Posting your answers to surveys such as this, reveal a lot about who you are as person, including your personality and hobbies. An on-line predator posing as a “friend” could easily pretend to share your interests (social engineering). Here, Jane even mentions that “Thompson Park” is her favorite hangout, again making it easier for a predator/stalker to track Jane down.
Here Jane mentions that she likes to celebrate by drinking Coronas, even though we know she is younger than 16 years of age. Whether it is a joke or not a mention of inappropriate alcohol or drug use, may come back to haunt you in the future. Colleges and employers are now using the Internet to check out potential candidates. What one posts on their Web site now may surface years down the road.
You will also note that Jane provided her instant messaging (IM, MSN or AIM) screen name to everyone. Instant Messaging is one of the preferred methods of communication by predators, because of its private nature, and therefore should never be provided to anyone other than a face-to-face friend you know personally.
Consideration should also be given to avoid group shots that are going to be posted on-line, unless your friends have given their permission first. Linking these pictures to photo album sites like “Photobucket” or “Flikr”, should also be reconsidered due to the fact that these sites often feature information about these teen’s that can become very searchable by others, revealing information such as their home address and even vehicle license plate numbers.
Jane’s Friends Space:
Does Jane really have 323 friends? One of the badges of honor in some of these Social Networks is to have a large number of friends. The larger the number friend’s one has, the more popular you must be. To a potential predator, the larger the number of friends that a person has, the more likely you will invite him in as a friend as well, and once in, unless mediated via privacy settings, this person now has access to all the information contained in your site. Keep your “friends” list limited to people who you really know, and have met in person face-to-face. Remember when a person has been accepted on your friend’s list, they receive all “bulletins” that you send.
Also of note; what are your friends posting about you on your site. In the above noted example, although Jane was very good about not revealing her last name in her profile, one of her friends referred to her as “Anderson”. Social Engineering is all about data mining and often predators will drill down in a potential target’s site to gain as much information as possible. This is why it is very important that you read and edit all comments that your friends write on your site that may provide TOO MUCH INFORMATION.
In our Internet safety seminars, we demonstrate how we have been able to socially engineer young girls on-line, via their social networks, to obtain their home phone number and address, where they go to school and where they might work and here’s one of the ways we do it:
- We will “creep” a social network, chatroom, or Blog that has not been locked down primarily looking for those who have more than 150+ friends.
- Once we have creeped the site for an extended period of time, getting to know our target covertly, we will create our own page and develop a profile matching the sex, age range, likes, and dislikes of our intended target. We do this because we know that many youth before inviting an unknown person into their site as a friend, will check that person’s page and profile to ensure they are who they say they are.
- Once this fake page has been created, we will then initiate contact with the target and ask to be invited in as a friend. In the vast majority of cases we get invited in and accepted as a friend. This now gives us greater access to information about our intended target.
- The next thing we do is look for the target’s last name, which can usually be located if you spend the time to look around their site.
- With this last name, and given that in the target’s profile we can usually locate the city in which the target lives, we next go to 411.com, plug in the last name of the target, and the city they are located in, hit enter, and poof several phone numbers now appear. If the target has a rare or unique last name, this process is even easier.
- We next start dialing each one of these phone numbers and ask for the target by name and once we get a positive reply, we now have the target’s phone number.
- We next take this phone number and plug it into an on-line reverse directory and poof now we have an address.
- With the address, we now go to Google maps, plug in the address, and poof now we can plot directions as how to get from my residence to the target’s. Even better yet, I can go to Google Street View and download an actual picture of the target’s house.
It’s that easy, and thus why it is so very important that our youth learn to protect their digital footprint on-line.
As you can appreciate, the above noted MSNBC hypothetical profile contains way too much information that a predator can use to Social Engineer a potential target. Although this was a hypothetical profile, all you have to do is go visit Facebook, Nexopia, Google + or MySpace to see the real thing. Obviously many of our youth, and young adults, who create their own social networks and Blogs, do not understand the dangers of too much information, and how the Internet predator can and will use their information to his advantage. Social Networks are cool places to surf, and interact with friends and people of similar interests from around the world. Having said this however, not everyone is who he or she makes themselves out to be while on-line. Again, to emphasize this point, I would highly recommend that you and your family go to the Perverted Justice Web Site located at www.perverted-justice.com , and have a look at those who they have helped law enforcement to arrest, for arranging face-to-face meetings over the Internet with boys and girls under the age of consent, for the purpose of sexual relations.