Using a very basic social engineering tactic, it's possible to get just about anyone to "friend" you on Facebook.
Nelson Neto, chief security officer for the Brazilian security firm UOLDiveo, proved the point, demonstrating his method for leveraging a target's Facebook and LinkedIn contacts to get that person to friend him in less than 24 hours, Ars Technica reported. He demonstrated his social-engineering prowess at last month's Silver Bullet security conference in Sao Paulo.
To show just how susceptible Facebook users are, Neto chose as his target someone who should have been knowledgeable about Facebook's privacy risks and more than wary of unsolicited friend requests — a Web security expert. He called her "SecGirl," and, using details from LinkedIn, created a fake profile cloning the Facebook page of her manager.
Neto first sent out 432 friend requests to the manager's friends; in an hour, 24 were accepted, even though 96 percent of those friends already had the legitimate manager in their contacts list. In the next hour, Neto then scored 14 friends out of 436 of the manager's direct friends, and sent another batch of friend requests to 580 of SecGirl's friends. In total, it took a little more than seven hours for SecGirl to accept the friend request from Neto's fake profile.
"People have simply ignored the threat posed by adding a profile without checking if this profile is true," Neto said in an interview with Brazil's UOL Noticias. "Social networks can be fantastic, but people make mistakes. Privacy is a matter of social responsibility."
Facebook scam-spotting site Facecrooks reported that SecGirl added Neto's fake profile to her friends list even though she already had her real manager as a Facebook friend.
"Now, ask yourself, are you really sure about the people on your friends list?" Facecrooks wrote. "Could there be a thief, scammer or hacker lurking within your inner circle? Have you personally verified that the people you added are really who they say they are?"
Among the complications that could arise from friending a fake profile is the possibility that the fraudster could eventually take over your account. Neto said the same social-engineering trick that got SecGirl to accept his friend request could be used to exploit Facebook's new password-recovery " Trusted Friends " feature.
Rolled out in early November, Trusted Friends allows you to designate five friends who will receive a security code if you are ever locked out of your account. If you can get a stranger to add you to their contacts list, it's possible that in selecting their trusted friends, they could mistakenly choose you.
Even without designating them as Trusted Friends, your Facebook friends might have a lot more access to your information than the general public. It wouldn't take long for a fake "friend" such as the one Neto built to gather enough personal data to steal your identity.