Skip Navigation
BlackBerry Blog

Social Engineering on Facebook

FEATURE / 10.16.17 / Kim Crawley

Facebook is not only the most popular social network, it's also a hotbed for social engineering cyber attacks. Social engineering attacks are when people are deceived in order to exploit a target - phishing attacks, Trojan malware, and online scams all qualify as social engineering attacks.

You can harden yourself and your organization against social engineering attacks with education and by encouraging a healthy sense of skepticism. If something sounds too good to be true, it probably is.

Here are some social engineering attacks to look out for on Facebook.

Acquiring Friend Access to Facebook Accounts through Fake Profiles

Aaron Dahl is a private investigator with the Trust Investigative Group. He has used Facebook social engineering, and he wrote about his experiences and knowledge. Here are some of the ways he's successfully acquired friend access to his targets' Facebook accounts.

First, he'd come up with a fake Facebook profile with a name that's not too generic (“John Smith” raises suspicions) and not too unusual (names like “Maximus Jakoniella” are too easy to remember.) He's found that names like “Cody Williamson” or “Jennifer Earl” to work perfectly. My name, Kim Crawley, would probably work pretty well, too.

Next, he'd make sure that his fake profile is “mutual friends” with his target. That increases his target's trust of the fake profile. It's a lot easier than it sounds. He'd send friend requests to dozens of his target's friends, and inevitably at least a few would accept. A lot of people on Facebook will accept friend requests as a reflex, assuming that the person is an old acquaintance from middle school or grade school or someone they met through friends in the past.

Assuming that your fake profile name isn't too unusual, you can Google the name and inevitably find photos of people with the name. I know for a fact that there are other people named “Kim Crawley” or “Kimberly Crawley” with photos online, even though, as someone who writes for several websites for a living, I'm by far the best-known person with my name on the Internet.

That's how Dahl would acquire a profile photo. Then if someone does a bit of research on his fake profile's identity, it's more likely to appear authentic.

After putting some tidbits into his fake profile like a birthdate, hobbies, and favorite television shows, it's then pretty much child's play to get your target to add your fake profile as a friend. Once you have friend status with your target, you can see a lot of information that your target posts about their everyday lives and activities, which really helps with further social engineering attacks. You clearly know as much about your target as a real “friend” would, so they're a lot more likely to trust you with information they wouldn't make public.

The way to prevent attackers from acquiring “friend” access to your Facebook profile is to avoid “friending” people you don't personally know, even if they're “friends” of your “friends.” Furthermore, you should avoid posting enough information on Facebook for “friends” to be able to track you down in meatspaceand know where you are and what you're doing all of the time. Post vacation photos after you come back home. If you absolutely must post photos of that wonderful meal you had at that trendy restaurant, post those sparingly and not while you're eating. You also shouldn't post photos or other information that'd let anyone know where your kids go to school or daycare.

Facebook Raffles

There is a growing phenomenon of scammers publicizing raffles on Facebook.

First, a scammer will come up with some sort of prize for the raffle. Chances are that no one will win it, but some of the reported prizes have been pretty strange, such as a shotgun, a monkey and a pregnant cocker spaniel. If the prizes ever were real, you can add animal cruelty to the list of horrors.

Then the scammer comes up with a Facebook page to advertise their raffle and sell tickets. They'll usually accept payment via PayPal or wire transfer. Each ticket may never be physical, but they'll each be assigned a number. Often the number that's declared the winning ticket will be a number the scammer didn't give to any of the people sending them money. They'll just pocket everyone's money and move onto the next scam.

Liz Hodgson has sent up her own Facebook page to warn people of raffle scams.

“(The Facebook raffle problem) is huge. It's so big at the moment. Everybody's creating their own groups. There are daily posts in the 10s, of people having issues with admins on these raffle groups. They're not drawing them correctly, the (players) aren't receiving their prizes,” Hodgson told the BBC.

Some people have gambling addictions and will spend the last of their money on a Facebook raffle scam.

My advice is to avoid doing any sort of gambling online, even sport betting, and government tolerated online casinos and poker. Overall, you should never gamble with an entity that isn't approved by your local government's gaming or gambling authority.


Attacking a target with malware is easier than ever. Cyber attackers don't need to be computer programmers anymore, they can buy their malware on the Dark Web with Bitcoin. A lot of the malware for sale is spyware like keyloggers and RATs (remote access Trojans).

Malware can then be filebinded to a photo, an audio file, or a document. Your target won't see an executable filename, they'll just see an innocuous media filename like “fluffy_kittens.jpg.” Still, if your target views the photo, listens to the audio, or opens the document, the malware will execute on their PC or smartphone.

Attackers may try to send their malware filebinded photos through Facebook Messenger. Facebook has built-in antivirus and it will block most malware, but it can't possibly work 100% of the time.

If an attacker has no success sending malware through Facebook Messenger, they may try to friend you on Facebook and get your email address. They can then send you their filebinded malware as an email attachment, or embedded in an HTML email.

Most webmail services like Gmail and Yahoo Mail also scan attachments for malware, but that's not perfect either. If your email server is hosted by your company and they don't have any sort of antimalware measures, it's that much easier to send you malicious attachments. To prevent being attacked that way, use frequently updated antivirus software, and avoid opening attachments from senders you don't know.

Now that you’ve learned some tips to protect yourself, share with coworkers, friends, and family to help educate folks on the potential dangers of using Facebook. Chances are, most of your friends and colleagues consider Facebook to be an innocent platform for connecting with friends and sharing daily laughs and stories. The more we educate each other on what to look out for, the more we can protect ourselves from attackers.

Kim Crawley

About Kim Crawley

Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.

The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance or BlackBerry Ltd.