Social media has become a pervasive part of technological culture in the last decade or two. The need to feel connected, especially after experiencing the ramifications of COVID-19 in 2020, has made people more dependent on social media platforms in order to socialize and feel a sense of community. Many folks find themselves creating an online persona that may or may not accurately represent who they are in the "meatverse," but this representation can still offer perceptive people information that may not even be intended to be shared. This post is going to dive into the obvious and not-so-obvious disclosures people are making on Facebook every day and how that information can be weaponized.
If you're not a Gen Z cardholder, it's likely that you rely on Facebook as a main social media platform.
Being aware of what data resides in your "About" section on your profile, as well as what's in your bio, or where your profile picture was taken, are all things to consider when trying to maintain awareness of what sensitive information you could be broadcasting.
In an arbitrary Facebook search, I was able to find a profile that offers information publicly (not just to friends) that I could abuse if I was a social engineer:
I've redacted some of the finer details so as to not doxx this person, but in their overview alone I can gather enough corroborating data to start painting a picture. Specifying the dates of attendance for their high school offers me a granular age range if not a specific year of birth. Where they've lived and where they currently reside offers me "pivots." These pivots can work as 1. pieces of information I can use to confirm this person is the same person that comes up in other searches on data broker sites and 2. ideas of where else to look. Let me explain:
Corroborating Data
Let's say I'm trying to gather as much data as I can on "S". I look at their Facebook profile and see where they've lived, where they're currently residing, and the timeframe they attended high school, offering me a rough estimate of their age. If I take that information, and move over to a site like TruePeopleSearch, I can use this data to confirm that the "S" that comes up in those results is the same "S" I'm looking at on Facebook:
The "S" in these results has the same last name, the suggested birth year aligns with someone who would've started high school in 1968, and this person also lives in the Texas city listed on Facebook. Now that I've confirmed with moderate-to-high confidence that this is the same "S" I was researching on Facebook, I can add more information to the profile I've started to build on them. I now have a middle initial, a month and year of birth, and a phone number. These not only add to that profile but can work as additional pivots to work for finding more information.
I can now go to the website associated with "S"'s current state and query voter registration records. Since I don't have a specific birth date, I'll have to run through each day until it returns a valid voter registration record:
Ideas of Where Else To Look
S's bio on Facebook mentions that he serves his community at a specific location.
Looking this location up, I'm able to find an entire biography that lines up with the data I already had from Facebook, but also goes as far as offering a specific birth date:
What now?
So what can we do with this information now? S didn't post anything egregiously sensitive about themself; however, they give enough that we're able to build an entire profile on them with data that is often used to verify someone's identity when trying to make changes or updates to accounts. We have a full name, a birth date, an address, a high school, parents' names, prior residences, and a phone number.
I know based on their Facebook and the biography I found where S spends a lot of time. On the less labor intensive end, a social engineer could simply call this establishment and, if there are any accounts S has access to, validate themselves as S and make potentially destructive changes or collect even more sensitive information such as an ID number, which could unlock more doors.
Data broker sites often disclose what phone company a phone number is registered with. Using that information along with the information gathered, a social engineer could call and make potentially disruptive changes to S's phone account. They could call and say "I can't seem to find my account number anywhere, could you please help me out with that?" After validating using the data they have, they can get access to this sensitive information.
How to Protect Your Data
Lock it down
Facebook offers varying levels of lockdown in its privacy settings:
This here offers a somewhat granular approach to controlling what data is seen by whom. Being mindful of these settings and making sure they're not set to "Public" is quite imperative in protecting data exposure. It at least makes it a bit more difficult for a malicious actor to just grab your data all in one spot.
Make sure to also "Limit past posts." That 21st birthday picture from when you were in college 10 years ago that you forgot you set to "Public" so your crush could see it? Yeah, Social Engineer Samantha thanks you for giving her your birthday.
Turn the Page on Facebook
If this post freaked you out enough to where you want to burn it all down...it's sort of an option. Deactivating Facebook at least makes it such that the profile doesn't exist and someone can't just go on there digging for information and pivots. Your information could (probably most definitely) already be elsewhere on the internet, but at least it's not publicly there on a silver platter. I'll say this: when I'm running a social engineering engagement and I can't find a Facebook or a social media profile for that matter, it's one less source of information I can use to build a profile and corroborate data to solidify it.
What About Data Broker Sites?
Well...they're a thing. Unfortunately. Between sites and companies selling user data and public records being indexed and easier to access...your data is out there. As defeating and frustrating as that can feel, you have options to "opt-out" on many sites. Additionally, services that search for and reduce your data footprint are becoming more prevalent. I personally have not had enough experience with a big enough variety of them to offer suggestions of what to use, but I encourage you to search for (and corroborate the reputation of ;] ) those services to see if one works for you.
Komentáre