Have you ever received a connect request on LinkedIn, a friendship request on Facebook, by someone that you don’t know, but seems to be quite connected to some of your connections or friends? Welcome to social medineering.
I use the (very non inspirational and probably annoying) term “Social medineering” to explain how social media are used to social engineer you. The method is simple and is based on trust; trust that we have in people although we shouldn’t.
Using Facebook as an example (but feel free to use the equivalent LinkedIn terminology to see why it’s no different), here is how it works:
The attacker identifies a person who has a quite a lot of friends and or accepts friend requests often and without over-thinking who they’re connecting to. People like that exist, and we are all connected to at least one of them. After the attacker is a friend of your friend, he is a step closer to you. He can now see what you share with “friends of friends”. Simply comparing friendship lists, he can identify more of your friends, who you share between you and the initial victim. Oh! Interesting, if a person is a friend’s friend, it is more probable someone will befriend him. Eventually, after he manages to have two or three common friends with you, he sends you a friend request. Seeing that he is actually a friend with some of your friends, it just makes sense you accept his friendship request. Now your information, the one that you only share with friends, is available on the attacker too. So long Facebook privacy and security settings, it was nice to have you around!
Is it so easy? Yes it is. I have been personally “attacked” like that 5 times - twice on LinkedIn and three times on Facebook. Is it dangerous? It depends on what you post on your Social Media. On LinkedIn, I only find it annoying if salespersons use that trick to be able to send me messages (without purchasing InMails). On Facebook, with the information I share, it may become more dangerous. Viruses and Trojans on Facebook messages are also quite common. So be careful.
What can you do?
a) Use common sense and evaluate your connection possibilities to everyone. If someone is a friend with a University schoolmate of yours and a relative who is several years younger, at the same time, it looks quite strange. If someone is a friend with two of your friends who live in different countries, it should raise some concerns. In general, see if your “common friends” are consistent to a logical pattern.
b) Avoid being the weak link. Do not accept random friendship invitations from people you do not know. You’re just opening a door to your network of friends, to be attacked or harassed.
c) If you have fallen for that scam, just unfriend him or disconnect, the moment you realize the problem. That way, you are protecting your friends (and your reputation for what it’s worth).
d) The obvious: Don’t befriend or connect with anyone you do not personally know. This, of course, beats the usability of some social networks, but it is always an option; to make your social network less virtual and more physical.