Facebook's new Graph Search features create phishing wonderland

Facebook has announced new changes to the way Graph Search discovers information, including the fact that status updates, photos, check-ins, and comments are now included in search results. This new stream of information offers criminals developing phishing campaigns all-new attack surfaces to exploit.

On Monday, Facebook revealed the latest changes to their Graph Search function, a tool that allows people to search for specific content on the social network. Previously, Graph Search was limited to information on a person's profile or pages on the site, but now additional information, such as status updates, photos, check-ins, and comments will become discoverable as well. While these features are being touted by the social giant as a good thing, the risk they create is anything but.

[Facebook's Graph Search worries security experts]

This new stream of data offers a potential goldmine for criminals developing phishing campaigns, and for more experienced attackers, because searches can now focus on certain groups of people, from a given area, who are interested in, or have a relation to, a specific business, organization, topic, or hobby. It's even possible to filter results by time, details from long forgotten comments or posts to see the light of day once again.

The data that is returned for a given search is limited only by the privacy settings on the post itself, or the overall settings by the user or their friends. Unfortunately, many people are still on default settings. As such, their profiles -- including posts -- are set to be shared to a much wider audience than they may intend.

"Facebook has a long standing tradition of dragging users to share more information -- even if they don't ask," Trevor Hawthorn, the CTO of ThreatSim, told CSO.

ThreatSim is a company that focuses on spear phishing, and awareness training. Earlier this year, the company released stats for the Verizon Business Data Breach Investigations Report that the success of a given phishing campaign isn't hard to track, noting that it takes three emails before a target will click on a link or an attachment.

"Running a campaign with just three e-mails gives the attacker a bitter than 50% chance of getting at least one click. Run that campaign twice, and that probability goes up to 80%, and sending 10 e-mails approaches the point where most attackers would be able to slap a 'guaranteed' sticker on getting a click," the Verizon report explains.

Half of the clicks within a given phishing campaign will happen within 12 hours of the first e-mail being sent, but clicks alone do not equate to a successful compromise. However, the more focused the campaign; the overall odds of this happening are stronger. This is why enhanced searching on Facebook could spell trouble, and why organizations and the people in them need to be mindful of protecting what they post.

"Facebook has always been useful for attackers to gather information about a specific target. Facebook Graph turns this on its head and allows an attacker that doesn't have a specific person in mind to browse and select several targets based on search criteria," Hawthorn said.

The changes to Graph Search will now allow for the construction of high-quality phishing messages, using specific search criteria, that the target may not realize is available.

"For example, I can now search for 'Asian Restaurants visited by people who work for the U.S. Department of State'. That produces highly specific results that allows me to choose from a list of targets," Hawthorn explained

The data located via Graph Search is only as private as your friends [and you yourself] want it to be, Hawthorn added. Even if your details are locked down, check-ins and image tags or post tags still offer more insight than was previously available. When compared with the data from other social services such as LinkedIn, an attacker will now have stronger odds when targeting a person or organization.

"Before Facebook Graph, the attacker would have to dig deeper and infer a lot about a target's interests, likes and employer. With Facebook Graph it's easier to search for and find the answers to those questions -- from the target himself," Hawthorn said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityinternetFacebook

More about CSOFacebookVerizonVerizonVerizon Business

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place