Facebook login screen

Social engineering attacks via social media: How to spot them and how to protect yourself

By X-51 | Miscellaneous Debris | 22 Jul 2020


Anybody who has been on Facebook for more than a month (possibly other social media too, but this is where I see them) has probably seen one of these things going around - a quiz asking you to list out some random details about your favourite colour, favourite food, first job, etc.

Some may have even taken part in them - I know I have, once or twice.

 

But did you realize at the time that these quizzes are a form of social engineering which can be used by the wrong people in an attack on you - whether it be a direct attempt to hack a bank or similar account, or an attempt at identity theft?

I'm not saying all of them started with this intent - some of them may have begun as a purely fun way to share some craziness about yourself. But even if there are only the best intentions behind a post like this, any time you expose personally identifiable information it can be used against you.

 

How to spot them

Many of them are easy to see - they are mostly pretty similar, just a list of fluff questions with a few more poignant questions mixed in, often with a message about how fun it will be getting to know your friends. But the real "fun" comes when an attacker uses this information against you!

 

Others will give a "What's your superhero name?" kind of question, with usually two lists of points that translate to a funny name when combined. Eg. it might have birth months as one, which gives a prefix (January: "The Incredible", February: "The Amazing", etc.) and a list of favourite colours as the suffix (Green: "Stupidface", Blue: "Bungler", etc.), so if your birthday was February and your favourite colour was green you would be the The Amazing Stupidface.

But realize this - your little joke name is easily interpreted back into meaningful data by an attacker!

It would only take a very short amount of time to create a web scraper that you could point at a Facebook post, and it goes through the comments one by one and converts a comment from eg. Joe Nobody saying "The Amazing Stupidface" back into a record of your name, your Facebook profile id (to tell you apart from every other Joe Nobody in their gathered data), your birth month, and your favourite colour.

 

But there are other versions too. For example where they ask something like "what's your rapper name? Your favourite book + the last thing you ate".

If you were to answer "The Power of One Pickle" (neither of which are true for me, just in case you are taking notes 😉) guess what? Now they know your favourite book is The Power of One. By extension they can take a guess that this means your favourite author is Bryce Courtenay. Attackers may even take note that you like pickles.

 

There may be yet other forms that I haven't seen too!

 

 

How to protect yourself

1 - Stay away

The most obvious, of course, is to just never do any of these little quiz-type things.

But you can still take part while remaining safe, if you are smart about it.

 

2 - Ensure your posts have restricted visibility

You should have your privacy settings configured so only friends can see your posts. This is obviously specific to Facebook, and your ability to limit post visibility on other platforms may differ.

But this isn't a perfect solution because you are trusting that you or your friends will never be hacked, that you will never accidentally accept a friend request from someone pretending to be a friend, that the platform will never be hacked, or that a bug will not expose your post. Any of these could inadvertently give somebody bad direct visibility to your answers.

 

3 - Answer intelligently by not really answering

Your next line of defense is to answer the quizzes strategically.

If the question is "what was your first car?" you don't answer with something like "red 1964 Chevrolet Corvette". Instead give a nonspecific answer like "fast, red, and sexy". This gives an attacker almost nothing - I say almost because they could still take note that you like red.

Giving ambiguous answers also works here. Given the question "what's your favourite colour", if you were to answer "depends on my mood" the attacker gains absolutely nothing.

 

4 - Ask intelligently

Finally, and not related to the quizzes but how to defend yourself from people who would take advantage of you, regardless of the source of their data - you should be strategic about your answers to security questions themselves.

 

If the website gives you the option to set a custom question you absolutely should use it. The answers to pre-generated questions like "what was your first car" or "what was your mother's maiden name" are often far too easy to obtain.

But what do you ask yourself?

Easy - ask yourself a trick question - a question that resolves around an in-joke, a reference with very limited exposure, and/or a question worded to sound like something different to what you are talking about. A question that sounds like it is about one thing, but is actually about something completely different is perfect.

 

Let's say you like football. (I'll make up some team names here) your favourite team are the Wanderers, but your favourite player, John Smith, used to kick for a team known as the Saints. So, ask yourself "Which was your favourite saint?" and answer with that player's name. But make sure you use his full name since St. John is an actual saint 😅

The same question could also be applied to a TV show (eg. All Saints for the Australians) or the musical group All Saints - but if you do use it like this, make sure it isn't your favourite TV show/musical group/movie/etc. otherwise there is a very easy logical shortcut around your trick since that is probably public information.

 

Also a great source of tricky questions is your own past experiences.

Let's say when you were young you broke your jaw, and at the time you were in a suburb of London called Hornchurch (I've never been there, just using it as a contrived example because of the name). A perfect security question from this accident would be "which church did I break my jaw in". Note that the question is worded in such a way that people will think you are talking about a building!

 

Now I'll give you a real-world example from my own life that proves just how possible it is to find a memorable but limited reference that can be turned into a security question. Obviously the fact that I am giving out this kind of information means I would never use it as a security question.

 

When I first moved out of home I lived with some friends in an apartment - one of these friends was already living there, we just moved in with him, but when he first moved into the place the front room of the apartment (which ended up being my room a couple of years later) had a red light globe installed. So our group had a running in-joke for a while that he had moved into a brothel!

 

This is the perfect situation on which to base a security question. But be aware that while some questions might sound great ("when did I move into the brothel" or "how old was I when I went to the brothel"), asking for a year or an age has an inherent flaw in that there are only so many answers possible in your lifetime that an attacker could theoretically go through very quickly.

A better question would ask "why", "how", "which", or "where":

"Why did I visit my first brothel" - "to live there"

"Where was my first brothel" - name of the suburb, or the address, or something

 

You could also flip the question on its end and ask "what was my first apartment better known as?", and the answer of course would be "the brothel".

 

And because this is all such memorable stuff to me, but limited to only a small handful of people who knew both myself at that time, and my friend when he had moved in, I will always know the answer (barring eg. brain damage or deterioration) while anybody else would have no clue.

 

But what if the site doesn't allow custom questions?

Don't worry - you may still be able to twist existing questions into a trick!

My first security question for a bank account (an account long since closed and a question for which the answer has changed, so I don't mind sharing it) was "what was your first car".

At the time I didn't have a car, so instead I used the lyrics from a band I really liked at the time - White Zombie. In the song Soul-Crusher they reference the movie A Clockwork Orange when the main character Alex states the make and year or model of his car - a Durango 95. So I used "Durango 95" as my answer.

A purely fictitious answer to a completely normal question - one I would not forget, but was highly unlikely someone could guess it.

 

I'm sure you can figure out your own trick questions for these things based on your own interests and past experiences - the possibilities are endless.

Always be wary, stay safe online, and don't fall into any traps for your personal data!

How do you rate this article?


2

0

X-51
X-51

Software developer, musician, photographer, traveler, crypto enthusiast


Miscellaneous Debris
Miscellaneous Debris

If it doesn't fit one of my other blogs, then it will end up here!

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.