By • Jason Jordaan | Principal Forensic Analyst | DfirLabs
I have a confession to make. I have been on Facebook for quite some time now, and it is a great way to stay in touch with family and friends around the world, and also share with them your favourite moments. It is a place for news and events, for buying and selling, and everything in-between. It is also a place where we are entertained and play. Facebook currently has about 2.7 billion active users a month worldwide. When one considers that the human population is about 7.8 billion now, that means that about 35 percent of humans are active Facebook users. There is a pretty good bet that many of you are active Facebook users.
I don’t know about you, but I am constantly getting requests from my friends on Facebook to play some or other quiz game, or partake in some form of “getting to know you” post, where people share information to seemingly random questions, all in the name of fun. Surely there is no harm in doing any of this is there?
A key aim of many cybercriminal groups is to obtain user credentials, this includes getting your username and password. Getting a username from someone is a trivial thing to do these days but getting a password can be much harder. However, hard does not mean impossible. A tactic used by attackers is trying to reset passwords. One of the ways to reset a password is to make use of a security question. While these are gradually being replaced with better mechanisms, there are still systems out there that use this as a mechanism to reset passwords. If I know your username, and I want to reset your password, I simply use the option to reset your password using the answers to your security question that you set up when you established the account. I would then get prompted to provide a response to a security question, and if I get it right, then I get to reset your password, and now I own the account.
The key to succeeding with this type of attack is knowing what your answer is to a particular security question. The easiest way to do this is to get you to simply give it to me, and that brings me to Facebook. I want you to think long and hard about the quizzes you participate in and how much personal information you share with these “games”. How many answers could potentially be answers to security questions? How much of the information that you share in these “getting to know you” posts could also be an answer to a security question? The sad reality is that many of these games and posts, while appearing innocent, may be a social engineering attack by cybercrime groups. They are simply asking you to give them the keys to your account, and you are just handing it to them. If you are going to do that you really need to ask yourself, why don’t you just simply give them your passwords. You would never do that, so why would you potentially give them answers to security questions?