According to research from Tal Be'ery, lead web researcher at Imperva and Rob Rachwald, the firm's director of security strategy at Imperva, their firm has been talking for some time about the automation and industrialisation of hacking and how it is changing the face of cybercrime.
With the advent of social networking, they claim, hackers have turned to sites like Facebook to create another attack channel. However, the attacks seen to date have been typically manual, such as uploading malware or creating fake pictures of a dead Osama Bin Laden.
But now, say the Imperva pair, social engineering may now be entering the next phase: automation. Recently, a new tool emerged which automates social engineering on Facebook. Unlike hacking software, this tool doesn’t demonstrate any new theoretical security vulnerability, but its existence proves the case that automated attacks on Web 2.0 services are a real threat, Infosecurity notes.
In use, the software friend requests to see a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information, photos and friend list to a local folder. In other words, say Be'ery and Rachwald, it automates the process of friending, sees who accepted and then collects all personal information in your profile as well as photos.
Although users quickly spot the 'friend' is a fake, by the time they do, the autobot has hoovered up their credentials from Facebook, say the Imperva pair, who note that the code was developed by a security firm in Egypt.
In fairness, says Imperva, it was only a matter of time before someone developed this technology, but the two researchers add, security professionals should not be acting as facilitators.
Unsurprisingly, they report, to date there have been around 5,000 downloads since the program code was made public a week ago.