A new cross platform Java Facebook proof of concept (PoC) hacking plug-in data mining tool could turn your closest friends into your worst enemies – social engineering anyone? The plug-in tool (created by a team at RISST), called “Facebook Pwn“, lets Facebook criminals (and normal users like us) — steal personal profile information from any target of their choice on a social network – in this instance Facebook. A hacker would create a new blank Facebook account and then download Facebook Pwn (which is FREE).
The data mining plug-in provides the hacker with the ability to create “automated profile zombies”. This is how – A hacker downloads Facebook Pwn and then creates a new Facebook page. The data mining tool will then send friend requests to a specified friends list (I call these ‘marks’). The plugin will then clone a victims friend’s profile and automatically send the mark a friend request. The mark will accept the request and now the marks personal information, images, posts, mobile email etc can all be used to harvest further ‘friend attacks’. The captured data is then stored offline for examination.
Facebook’s verification system has been exposed here with this proof of concept hacking tool. This further highlights the ease at which Facebook profile data can be accessed and used for fraudulent purposes. Maybe Facebook should consider a ‘friending authentication’ option as an added layer of privacy/security. Only time will tell. Right now, make sure you know who you are friending and only then will you then be well placed to avoid this type of threat.
Safe surfing folks!