What is Social Engineering ?
Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
It is often neither security loopholes nor password cracking that allow people access our private information on Facebook without our approval. It’s actually our own human nature: the trust of a friend’s name.
Whether you like Facebook or not, the truth remains that Facebook is one of the best mainstream websites around when it comes to providing options with which you can protect your privacy. Every time anyone discovers a new method for hacking private information, the guys at Facebook patch it the next day. What their security engineers cannot do though is teach the users to tell a social engineer apart from a friend.
And that’s why you need to be aware of this: the easiest way to hack Facebook today is by borrowing a chapter from psychology class. Hackers are not hacking as programmers anymore, they’re hacking as social engineers.
Huh
Using Social Engineering to Hack Facebook
The hacker wearing his social engineer shoes will probably do something like this:
1. Learn Who Your Friends Are and Collect Them
If your friend list is public, this social hacker, who we will call “Schmuck”, will first familiarize himself with your friend list. Then, he will choose a friend of yours, which we will call “Buddy”, who has enough mutual friends with you.
Schmuck will steal the identity of Buddy, by creating a profile with the same username and profile picture. He will then send friend requests to the mutual friends between you and Buddy (excluding yourself) and pretend that his original account was hacked.
Schmuck now starts the process of collecting confirmed friend requests.
2. Social Pressure You Into Accepting Him
Once Schmuck has a good enough number of your unaware friends on his list, he will go for the big fish: Schmuck will send you a friend request, using Buddy’s fake identity. Given that a) it appears to be your friend, b) your mutual friends have this person on their lists as well, and c) Schmuck sent a nice little paragraph explaining how he lost his password and had to start a new account, you will probably accept.
3. Gloat at Accessing Your Profile
Schmuck has obviously succeeded in accessing a private profile. If his initial purpose was snooping in your private life, you probably have nothing to worry about, except for some embarrassment. That might not be his purpose though…
4. Hack Facebook Account/Send a Virus
… there are good chances that Schmuck went through all this trouble to do something slightly more evil than just snoop; such as steal your password or send you a virus. He might send you a very unassuming message with a link that leads you to a Facebook sign-in page, which many people would use to re-sign in as they would attribute it to expired cookies. This sign-in page would record your log in info, which Schmuck will use to send a similar link or links to other compromised sites to your friends.
Protect Yourself
So, as you can see, the most human side of hacking is just as dangerous as the more geeky one. Protect your Facebook account to avoid Schmuck and other schmucks like him by being careful with which friend requests you accept, verifying with your friends in case you get an email that claims a lost password, double checking the url of any page that requests you to log in again, and never disclosing personal data online.