Facebook 'stalker' tool uses Graph Search for powerful data mining

Even if a person has locked their profile, their interactions with others is telling, say Trustwave researchers

Trustwave researchers also wrote GeoStalker, a Python script that gathers data from web services tagged with certain location coordinates.
Trustwave researchers also wrote GeoStalker, a Python script that gathers data from web services tagged with certain location coordinates.
  • Trustwave researchers also wrote GeoStalker, a Python script that gathers data from web services tagged with certain location coordinates.
  • FBStalker, a Python tool from Trustwave, automates querying Facebook's powerful Graph Search engine and returns a range of data on people even if their profile is locked.
  • Jonathan Werrett of Trustwave
  • Keith Lee of Trustwave
View all images

When a high-profile public figure living in Hong Kong hired the security company Trustwave to test if its experts could get his passwords, they turned to Facebook.

While the dangers of sharing too much data on Facebook are well-known, it is surprising how little data can give hackers a foothold. The man gave Trustwave's team no-holds barred permission to try and snatch his data, a so-called "Red Team" test.

"We found out through Facebook who his wife was," said Jonathan Werrett, a managing consultant for Trustwave's SpiderLabs in Hong Kong. "We found out through her likes -- her public likes -- that she ran a pilates studio. We could then send a phishing email to her based around the fact that she ran a pilates studio that was hiring."

The man's wife opened an email with a video demonstration of the bogus job candidate conducting a class. The malicious attachment infected her computer with malware, which gave Trustwave's analysts access, known as a spear-phishing attack.

The computer she was using was a hand-me-down from her husband. The passwords he wished to protect were in the Apple computer's keychain, so the hacking exercise "turned out to be a lot easier than we otherwise expected," Werrett said.

Mining small details from Facebook has become even easier with Graph Search, the site's new search engine that returns personalized results from natural-language queries. Graph Search granularly mines Facebook's vast user data: where people have visited, what they like and if they share those same preferences with their friends.

Graph Search immediately prompted warnings from security experts, who said its powerful data aggregation abilities could make people uncomfortable even though the exposed data is public.

For penetration testers as well as bad guy hackers, Facebook is invaluable for spear-phising attacks. But Werrett and his colleague, SpiderLabs security analyst Keith Lee in Singapore, wanted an automated way to quickly amass information using Graph Search.

So Lee wrote "FBStalker," a Python script he and Werrett debuted Thursday at the Hack in the Box security conference in Kuala Lumpur. In its current form, FBStalker runs in the Chrome browser on OS X, entering queries into Facebook's Graph Search and pulling data. They used FBStalker in the attack against the man in Hong Kong.

Even if a person's profile is locked down to strangers, their friends' open profiles can be examined, giving an indication, for example, who the person may be close with. FBStalker uses Graph Search to find photos in which two people are tagged in, comments on profiles and more.

An analyst could do that by manually using Graph Search, but it would require going through hundreds of pages of comments, Timelines and photos, Werrett said.

"It's basically not feasible for a human to go to the depths that FBStalker script does," he said.

In a slide presentation, Werrett and Lee showed how FBStalker collected data on Joe Sullivan, the company's chief security officer.

FBStalker showed places where Sullivan had been and infer who some of his friends are based on pages he had liked and commented on. Some of the information collected by FBStalker is plainly visible on Sullivan's page, but his friends list is not visible to outsiders.

Werrett and Lee also introduced at the conference "OSINTstalker," another Python script that Lee wrote which can be used for remote site reconnaissance as part of physical security tests.

GeoStalker takes an address or a set of coordinates and searches for any data geotagged with the same values, such as photos from Instagram or Flickr, messages on Twitter, FourSquare data and even wireless networks indexed by the Wigle database. It also pulls usernames for social networking accounts linked to the location.

When TrustWave is doing a Red Team test "it gives us a whole bunch of stuff that is quite useful," to mount an attack, Werrett said.

"No one is going to turn back the tide of people posting things to Facebook that potentially could be valuable in somebody else's hands," Werrett said. "If you want to walk away with a lesson, the lesson is that even if you're protecting yourself, what other people are doing with your information, your friendships, your comments and things like that can still be leaked."

"Maybe people will think twice before commenting on someone's drunken photos," he said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

Conversations over a cuppa with CMO: ABC's Leisa Bacon

In this episode of Conversations over a Cuppa with CMO, ABC's director of audiences, Leisa Bacon, shares how she's navigated the COVID-19 crisis, the milestones and adaptability it's ushered in, and what sustained lessons there are for marketers as we start to recover.

More Videos

Zero proof spiritsUsa since 2011 www.arkaybeverages.com🤪🤟

Sylvie

How this alcohol-free spirits brand rode the health and wellness wave

Read more

okay this a good newsmaybe i gonna try it

kenzopoker1

CMO's top 8 martech stories for the week - 9 July 2020

Read more

Very insightful. Executive leaders can let middle managers decide on the best course of action for the business and once these plans are ...

Abi TCA

CMOs: Let middle managers lead radical innovation

Read more

One failing brand tying up with another failing brand!

Realist

Binge and The Iconic launch Inactivewear clothing line

Read more

I am 56 years old and was diagnosed with Parkinson's disease after four years of decreasing mobility to the point of having family dress ...

Nancy Tunick

The personal digital approach that's helping Vision RT ride out the crisis

Read more

Blog Posts

MYOD Dataset: Building a DAM

In my first article in this MYOD [Make Your Organisation Data-Driven] series, I articulated a one-line approach to successfully injecting data into your organisation’s DNA: Using a Dataset -> Skillset -> Mindset framework. This will take your people and processes on a journey to data actualisation.

Kshira Saagar

Group director of data science, Global Fashion Group

Business quiet? Now is the time to review your owned assets

For businesses and advertiser categories currently experiencing a slowdown in consumer activity, now is the optimal time to get started on projects that have been of high importance, but low urgency.

Olia Krivtchoun

CX discipline leader, Spark Foundry

Bottoms up: Lockdown lessons for an inverted marketing world

The effects of the coronavirus slammed the brakes on retail sales in pubs, clubs and restaurants. Fever-Tree’s Australia GM Andy Gaunt explains what they have learnt from some tricky months of trading

Andy Gaunt

General manager, Fever-Tree Australia and New Zealand

Sign in