Friend-Mapping: How the Ashley Madison Hack and Social Engineering Was Used to Access Facebook Accounts and Blackmail Victims
If the Ashley Madison hack taught anyone anything, it’s that even your darkest secrets aren’t safe on the Internet no matter how long you’ve kept them hidden. Ashley Madison is an online dating site marketed towards people who want to have an affair. The company always promised extreme discreetness for its users until its entire database of user profiles was downloaded and published on the Internet. It’s considered the biggest breaches to-date not because of the millions of profiles exposed, but because it led to blackmail and family destruction.
A Brief Background on the Data Breach
The attack happened in July 2015. The hackers initially attempted to blackmail Ashley Madison’s parent company, Avid Life Media. Their threat demanded that the company shut down Ashley Madison’s site or user data would be exposed. Ashley Madison’s owner refused, and over 60 gigabytes of information was uploaded to BitTorrent.
After the database was exposed, several people created websites that the public could use to search for their spouse or partner’s account. Ashley Madison allowed people to remove their profiles for an additional fee, but the breach proved that profiles weren’t ever truly deleted. Spouses and partners were able to find their significant other’s account with a simple, free search.
Ashley Madison allowed users to create profiles without any type of email confirmation. This means that anyone could create an account without an email confirmation. It also means that someone could sign up another person on the site without their knowledge, which is one reason the damage from the breach was worse than just exposing adulterers. People who were victims of malicious intent were also exposed even if they never used the site. An ex-girlfriend or boyfriend or even an angry colleague could sign up a target victim.
How Social Engineering Hackers Turned the Ashley Madison Hack into Blackmail
Since the entire user profile database was downloadable from BitTorrent, hackers were able to obtain millions of email addresses and names of possible adulterers. After hackers downloaded the content, they could start the social engineering attack.
The first step was to search for the user’s name and email address in Google. Since most people use Facebook for social networking, a search would often result in finding the user’s Facebook account. If the user has poor Facebook security and privacy settings, a few pieces of information could be taken from the profile. For instance, the user’s current location, likes and dislikes, marriage status, college and (most importantly) a list of friends was revealed. The latter piece of information is the most important in the attack.
Next, the hacker creates a fake account using some of the same information as the target. The hacker uses the same college and location, and he might even join the same groups as the target. The hacker then begins to Facebook friend the target’s friends. Most people don’t verify a profile before accepting a friend request. They accept the friend request and assume that the requestor is an acquaintance or distant family member. This is the first mistake users make when working with social network privacy and security.
Once the hacker has a list of the target’s friends added to a Facebook profile, he can now Facebook friend the target. When Facebook sends you a friend request, the social network tells you how many friends you have in common. When most people see that a person has several mutual friends, he accepts the request thinking it’s a mutual acquaintance. The hacker is able to then gain access to the target’s private posts.
With access to the target’s Facebook account, he can now gain more information on the target including any spouse and family relations. This information is then used to gather even more information on the target. The hacker might look up the target’s address or business information, understand the target’s interests, and find out where the target frequents.
Many people use the same user name for Facebook as their email address. The hacker might even attempt to send an email to the target using the Facebook user name as the address. He can also test the Facebook emails for the target’s spouse and family members. If any of the emails work properly, the hacker can then use them for the blackmail threat.
The hacker sends the target an email with the gathered information and tells him that he must pay the hacker a fee to avoid exposure. The hacker lists the target’s spouse and friend’s information, so he knows that the hacker is serious. It’s been reported that the blackmail money can be anywhere from a few hundred dollars to a few thousand. If the hacker detects that the target has a high-level public profile, the blackmail money could be several thousands of dollars. Some targets pay, because the cost of exposure is much too severe.
What You Can Do to Protect from Facebook Social Engineering Hackers
The ethics surrounding the exposure of cheaters is questionable, but everyone deserves privacy on the Internet. Blackmail isn’t the only reason for a hacker to gain access to a Facebook account. Social engineering is used to trick users into transferring money, phishing for information, and even using friend accounts to gather information about a person for future malicious intent.
Facebook gives you granularity for public and private privacy settings. Hide any information you can, especially your friends list. You can’t change your Facebook user name, but be aware of strange emails that ask for private information such as a user name or password.
Always keep your Facebook password different from your other accounts such as banking and email accounts. Facebook is much easier to hack, and it’s a huge target for hackers especially for social engineering attacks. If the hacker is able to guess your Facebook password, he can then access your email address, banking accounts, and even ecommerce store accounts. With the email address, the hacker can then reset other passwords.
Don’t give too much of your information online. This information can be used to guess your security questions to reset your password. For instance, if your favorite college is Duke, don’t plaster “Duke” all over your social profiles and then use your favorite college as a security answer on your accounts. This also leaves your profile open to hacks without even knowing your password.
If your accounts offer two-factor authentication, take them up on their offer. Two-factor reduces the chance that hackers can access your account even if they have your password. Google, for instance, offers two-factor authentication for Gmail accounts.
The final step is to constantly monitor your accounts. Keep track of login attempts. Many vendors provide you with a date that you last logged in. Review this date for any discrepancies. If you get any alerts in email, immediately log in to the account and change the password. If it’s a banking institution, call the bank and change your password and possibly stop transactions on any credit cards.
You can’t completely protect your profile, but you can take the necessary steps. Ashley Madison was just one site, but hackers can use any number of hacked databases to take advantage. You can defend against social engineering with a few precautions and a little common sense.