facebook

Facebook  has revamped the way its users share information with third-party applications and Web sites in an effort to make the process easier, the company said Wednesday.

With the changes, a new permissions box will pop up whenever a Facebook user installs a new application or first logs into an external Web site through their Facebook account, wrote Bret Taylor, the social-networking site's CTO, in a blog post.

About 550,000 applications work within Facebook and about 1 million Web sites are integrated with the site, Facebook said.

"In order for these applications and Web sites to provide social and customized experiences, they need to know a little bit about you," Taylor wrote. "We understand, however, that it's important you also have control over what you're sharing."

Hackers have flooded the Internet with virus-tainted spam that targets Facebook's estimated 400 million users in an effort to steal banking passwords and gather other sensitive information.

The emails tell recipients that the passwords on their Facebook accounts have been reset, urging them to click on an attachment to obtain new login credentials, according to anti-virus software maker McAfee Inc.

If the attachment is opened, it downloads several types of malicious software, including a program that steals passwords, McAfee said on Wednesday.

Hackers have long targeted Facebook users, sending them tainted messages via the social networking company's own internal email system. With this new attack, they are using regular Internet email to spread their malicious software.

Italian police have used social networking site Facebook to track down and capture one of the country's most-wanted fugitive mafia suspects.

Pasquale Manfredi, accused of being one of the top figures in the 'Ndrangheta mafia, was found in Calabria.

The 33-year-old, who faces charges of murder, mafia association and drugs trafficking, was traced via his network of Facebook contacts. Reports suggest he called himself Scarface, after the film character.

According to Italian newspaper La Repubblica, he was arrested as he tried to escape from the roof of the apartment complex near the southern city of Crotone.

Believed to lead the 'Ndrangheta in the southern town, Pasquale Manfredi is also accused of possessing illegal armaments, including heavy weapons.

A class action lawsuit has been filed against Facebook over changes that the social networking site made to its privacy settings last November and December.

• you, your networks,
  
• your whereabouts,
  
• interests,
  
• religion,
  
• political views,
  
• who you know,
  
• who you communicate with most,
  
• how you communicate,
  
• what you say
• to whom you say it
• and so forth...
  

According to Simon Dumenco over at Wired, Facebook is too creepy to offer business value. I certainly agree that there are aspects of Facebook that might be creepy, but I do not think that alone is the main reason to not use Facebook in a business environment.

A couple of his comments are good, though:

"The ease with which Facebook can be used to broadcast your whereabouts adds a particularly disturbing dimension for executives who would surround themselves with security in real life but are lulled into complacency by Facebook's tidy veneer. Last year, the British military sent a directive to its army units to avoid revealing their service connections online—"Be particularly careful if you are on Facebook, MySpace, or Friends Reunited"—fearing that, yes, Al Qaeda could use them to track prey. Your business competitors might not be terrorists per se, but Facebook can be useful for anyone trying to poach your M.V.P.’s."

I think this point is valuable to Twitter, Plaxo and LinkedIn too - they all love the Status update these days.

Another point, made by David Weinberger is particularly interesting:

"Younger people violate older people's idea of proper behavior when it comes to privacy,"

Now, is this a challenge for the younger people, or for the older ones? Who needs to adopt? The Young? The Old? The Wise? Or heaven forbid - me?

----

More on Facebook:

• Facebook open to ID-theft
• Howto use Facebook to gather Intelligence, Part 1
• Howto use Facebook to gather intelligence, part 2
• Facebook exploited

In the previous part, we saw how you could use Facebook to collect e-mail addresses by offering something of perceived value to your victims. And you built a list of minimum 10 000 e-mails with only 5 minutes work.

This is part two of the How-to about collecting information of potential victims from sites like Facebook. This part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – I tell you how you can build a full profile of your victim!

Warning: This work is tedious, and requires attention to detail and long-term persistency.

BONUS: Build a complete victims profile, not only e-mails and names!

1. Make people add themselves to your group

Now, go to your group setting page on the Facebook Group you added in Part 1 of this How-to. Make sure that you set it up to Group Type: Open group. This will ensure that everybody can join the group, and then invite their friends to do the same.

Why do you want this? Simply by making your victims advertising the great offer you give, so more people will show up and give you their e-mails.

2. Start investigating your group members

This is easy. Just browse the list of members. When you see something pretty (as in potentially easily exploitable), take a look at the profile. If the profile is not available, take a look at their friends. Most people think that showing off their friends cannot give away anything about themselves, so it is safe. You know better, right? You will, read on!

Here we have a list of friends of a potential victim. We can see that this person is either very popular (618 friends), or is playing a game like yours – collecting!

Note the location of the friends, usually you will see that they tend to gather in one or only a few geographical areas. Also note the profile pictures, pictures can tell you a lot about the person. Look at dress code, location, styling and other clues as to who this person is.

3. Invite and collect

If you decide that you like the person (or you decide that he/she is a nice victim), you may invite him/her to be your friend. Say something like “Hi, I am the group manager of…I’d like to add you as a friend…” Most will say yes. Particularly if you hint that she/he is very close to get the prize, and you only need to confirm some info…Be creative!

Now you have full access to all the stuff this person shares with friends.

4. Harvest info

With full access, start to add to your database the following data:

• interests
• books read / enjoyed
• favourite quotes
• marriage status, birthday, age
• friends, and particularly those who communicate using Wall and similar applications

If you follow your victim for some time, you will start notice that you can start to know this person very well – only by viewing the information posted on the profile.

5. Use the info

You still in there, are you?

Why would you want this kind of information about someone you do not know?

These are some of the reasons we know others use when they do this kind of exercise:

• Looking for “easy” offers for sex or violence. Just read the newspapers.
• Finding out when you leave your home (vacation, work hours), and pay you a visit when you are not there. This is not a house calling, but a house clearing.
• Selling the information (spammers, criminals)
• ID-theft – the more I know, the easier it is to learn more about you
• Intelligence – companies, criminals and countries collect information that might be useful in the future
• Research (my excuse) – see how much you can learn without warning the victim

One example, found on the Register today, is lax control in banks and financial institutions:

“Merchant Securities Group Limited also failed to verify the identities of customers that contacted the firm by telephone. Instead, the firm relied on being able to recognise customers' voices and talking with them informally about personal matters such as holidays or hobbies. Personal account numbers which could be used with a customer's name to access account information were included in routine letters.”

See where I am getting? The more I know, the more I get. Now I got your money too!

Warning: Keep in mind that in some countries, what you are doing may be considered illegal.

Note: You do know what YOU share on your profile, right?

This how-to describes in detail how to collect live, real email addresses from live, real people around the world. Most importantly, it will show you how you can collect 10 000 e-mails in less than 5 minutes work!

In addition, this How-to will help you collect additional information about your target: like photo; full name; list of friends; and potentially also mail address; phone numbers and list their favourite books.

So let’s get on with it!

1. Set up an email box on Yahoo, Google or similar tool

This is easy. Just pop on over to; Yahoo Mail; Google Mail; or any other free web based e-mail services out there. I know you are able to set up the account without my help.

Get back here and move to step two when you are done!

Set the e-mail to automatically forward all e-mails to a different account, preferably on a system you can control – either directly, or by POP/IMAP. You want to do this to save you some work later one!

You do not want to use your own name, though, but you knew that, right?

2. Get a Facebook (or pick any other social networking site) account

Just register with a plausible name (Jim Johnson, Donna James or similar). This is free, and typically available to anyone, and this is where you will meet your victims. Consider using the same name as in step one, this adds to credibility.

TIP: You may consider using a western name, preferably a woman name, as it sounds less daunting and more secure.

Now, it is out of the scope of this How-to to discuss how to set up your account. So, I just skip on to the next part, and you do too as soon as your Facebook account is up and running!

3. Set up a group on Facebook

And yes, you guessed it; how to set up the group is out of the scope of this group. But believe you me, it is plenty easy!!

Give it a winning title - Free gift! Or: Free trip to Dubai!

Why you need it? This is where you will plant your seeds of seduction – where you will promote your give-away, and where your victims will understand why it is so important to give you their e-mail address for free – no strings attached!

So, now you got a group on Facebook. Time to use it!

4. Add a prize!

When you want something, you should always offer something. The bigger, and more realistic, the prize, the better it is! Here is one example:

Yes, I noted more realistic above, I know…But – the purpose is to offer something that is realistic to your victims – and they are not as smart as you are, obviously. Thus, this one count as realistic.

And, unless you really want to do so, there is no need to actually give away the prize. I would strongly suggest you do NOT give it away, and use it yourself instead. Or spend your cash on something else. Your victims will never know they did not win.

Period.

5. Ask for something simple/cheap compared to the prize

By asking for something that is perceived as not dangerous to give you – like an e-mail address – you are more likely to succeed. But we do now that most anyone will be happy to share their favourite password if you give them a chocolate, so do as you like. On the other side, when you get the e-mail, you got plenty of opportunity to ask for more later on too.

So go ahead and ask for it! Make sure you add your collecting e-mail box where they can send their request for the prize, giving away their name and e-mail. Put it out there – like this:

And voila – now you got a large amount of e-mail addresses available. Addresses you can use to send nice offers of pills, travels and other stuff your customers pay you to offer to your list!

6. Collect and use

Now you have a large amount of e-mails on your account, it is time to download and put them to work. By installing any kind of e-mail harvesting tool on your e-mail client (many available, find your favourit), you are now able to take the e-mail addresses and their corresponding names from your in-box, and into a database tool.

And as e-mails keeps coming in, your database grows. High quality e-mails with real people on the other side. A great value to spammers.

So start selling it to the highest bidder!

And if someone complains about getting spam? Well, that is not what you are doing, of course. You only provide your customers with fresh e-mail addresses with real people on the receiving side!

The emails are collected, and you may now use them to send out outrages offers of pills, lottery winners and other nice-to-have stuff. But, why stop there?

Get back tomorrow to read about how to build a complete profile of your targets! That part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – where I tell you how you can build a full profile of your victim!

Facebook (and a number of other platforms in the Social Networking revolution) enables great minds to do great things. Many of us uses these services on a regular basis (daily, hourly, or even every moment of the waking hours). 

I for one is a huge fan of networking, and using networking sites enables me to communicate and stay in touch with old and new contacts easily. On the other hand, I recognize the security challenges - namely the ID-theft and the social engineering (SE) possibilities that is enabled through such services. 

One of the messages I try to convey in speeches and trainings is the threat that Facebook Apps may be. Granting an application access to your profile, automatically enables that application to harvest a huge amount of data about you and your friends. Now, most applications are "for real" - thus doing only the thing it claims to do. Still, imagine a business manager sitting on 10s of thousands of users and their data, in need for money. It would be extremely easy to use the data already harvested,  as well as rewrite the application to be more aggressive in it's harvesting. 

The other scenario is malicious apps appearing cool and fun and a "must have". These apps would offer you a service (chocolate) as a killer app - something you just have to have. And you would invite all your friends to use it too. By offering the coolest, it will become popular, and thus the road is open to harvest and use information. Information that you normally only would share with friends only.   

---

In enters the Social Engineer. Uses the information about you, collates it with other info shared on other sites, creating a complete profile of you, your interests, your family, friends, co-workers, neighbors and so forth. 

Perhaps one day he bumps in to you at the local mall. Or calls you because "someone said that you could be interested in ..." 

Having a complete profile of you, he (she) would know all the answers, and thrill you into doing anything. Given enough time, and a valuable target, there are no limits to what can be achieved. 

---

Given this outlook - perhaps it is best to continue as before - in ignorance. Hoping that "it will never happen to me".  

---

I gotta run.

Just got this incredible, almost unbelievable, opportunity! This complete stranger called me out of nowhere!

See you in a bit!  

---

Ka-zing. 

---

(Thanks to Liquidmatrix / Dave Lewis. And man, do I love that cartoon!)