Sometimes social networking makes social engineering very easy.
A California man faces six years in prison for using personal information found on women's Facebook profiles to take over their e-mail accounts, steal nude pictures of them and sometimes even blackmail them. One victim likened it to "virtual rape."
George Samuel Bronk pleaded guilty in Sacramento Superior Court Thursday to seven felony charges, including computer intrusion, impersonation and possession of child pornography.
The charges stem from a nine-month period ending in September, during which Bronk hijacked the e-mail accounts of hundreds of women across 17 states and in England, the Sacramento Bee reported.
A press release from the office of Kamala Harris, California’s attorney general, says Bronk targeted his victims by searching Facebook for women who posted both their e-mail addresses and also personal information such as their favorite foods, their father’s middle names, their high-school mascots and their favorite colors.
Such details are routinely used in "identity challenges" when changes are made to online personal accounts. "Social engineering" scams, such as phishing scams, are designed to trick the victim into revealing this sort of information — but Bronk found it all right there on Facebook.
With it, Bronk could pose as a legitimate e-mail user, hit the "Forgot your password?" button, pass the identity challenge, change the password to one of his own and take over the e-mail account, locking out the victim.
And then the problems would begin.
Bronk, 23, searched hundreds of “sent mail” folders for any nude photographs or videos. If he found any, he'd often sending the most scandalous or pornographic pictures to the women’s contacts lists, or would contact the victims directly and threaten to make the pictures public unless they sent him even more revealing ones.
In some cases, he'd go back for seconds. After he'd taken over an e-mail account, he'd e-mail Facebook from it and tell the company he'd forgotten the victim's Facebook password -- and then take over the woman's Facebook account as well.
In October, when police confiscated Bronk’s computer and arrested him, they found more than 170 files of explicit photographs stolen from e-mail accounts he had hijacked.
The Attorney General’s office and the California Highway Patrol used location-tagging information to help identify victims, and e-mailed 3,200 questionnaires to women who may have been targeted. Forty-six women replied that they had been victimized.
Bronk has been held on $500,000 bail since October, and will return in March for his sentencing.
This security breach highlights the problems websites face in trying to authenticate their users. Thanks to social-networking sites, it's now easy to find out someone's mother's maiden name or the street he or she lived on as a child, yet that's exactly what hackers would need to know to pass an identity challenge.
Security experts say the solution is simple, if a bit confusing: Use fake information to fill in the answers to identity-challenge questions when setting up or changing an online account. If you grew up on Elm Street, say instead that you grew up on "55a55afra55." Your mother's maiden name could be the same thing. Just don't put your real password in there.
And as always, people are advised to limit the amount of personal information they post online.