Social networks & Deactivated Friend Attack, the cybercrime paradise

Pierluigi Paganini March 23, 2012

A few days ago I wrote about the dangers relating to a not careful attendance of social networks, powerful platforms and privileged communication tools, the subject of increasing interest of cybercrime.
Many possibilities for attack across these platforms, from social engineering to cyber espionage, not forgetting the spread of all types of malware.
Endless audiences of users, all too often unaware of the threat, represent the ideal target for criminals.

A very interesting news appeared on the internet yesterday, an University College London research student Shah Mahmood and Chair of Information Communication Technology Yvo Desmedt during a conference at the IEEE International Workshop on Security and Social Networking SESOC 2012 in Lugano (Switzerland on March 19th),  have presented a new critical vulnerability on Facebook platform, a zero day privacy loophole  that they have named “Deactivated Friend Attack”.

The two expert have described the attacks:

“Our deactivated friend attack occurs when an attacker adds their victim on Facebook and then deactivates her own account. As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating for unlimited number of times. While a friend is deactivated on Facebook, she becomes invisible. She could not be unfriended (removed from friend’s list) or added to any specific list.”

Probably one of the aspects that make this vulnerability more insidious is that the popular social network lack a mechanism for notifying a user of the activation / deactivation of the account considered as friends.
The process of alternating activation and deactivation is defined by two experts as “cloacking”

Furthermore the process of activation and deactivation may be repeated at will without being subject to any control because deactivation is temporary in Facebook.  This behavior then allows an evil intent to reactivate an account for the time necessary to carry out a survey among the information posted by a victim … a mine as we learned from the news.

In my opinion the real problem is the distracted behavior of users of social networks, too preoccupied to increase the counter of their relationships without carefully assessing the real identity of those seeking friendship.  Once obtained the friendship it is possible to spy every account as desired, it is simply necessary to activate the account in a time when the victim is not present on the social platform to avoid being spotted and arouse suspicion.

As the attacker has to uncloak to spy, there is a probability of being detected and unfriended or put under restricted privacy policies. This probability will be dependent on several factors and suspicious events are:

  • the victim checks their own friendlist
  • the user is online when the attacker is de-cloaked
  • the victim checks their profile page
  • the victim checks their friends preview (Facebook shows thumbnails and names of 10 friends on the left side of user’s profile page)
  • the attacker being available on the friends preview
  • the victim getting suspicious about the attacker after finding him on the friendlist and then attempting to restrict or unfriend it
  • the victim will be able to apply the restriction before the attacker deactivates considering the time they both have

The expert alerted:

“Various groups of information aggregators including marketers, background checking agencies, governments, hackers, spammers, stalkers and criminals would find this attractive as a permanent back door to the private information of a Facebook user.”

The attack is very serious for several reasons:

  • it is very hard to detect
  • if the user desire to adjust his privacy settings  he will not be able to apply any updates, unless they are applied to all friends, or to lists of which the attacker is a member. If the attacker is temporary de-activated it is not possible.
  • the attacker simply monitoring few users on the social network can get a deeper insight into a large network

During the presentation the two experts have presented a live demo to prove the problem showing that the one way to avoid any kind of problem is to notify the user the continuous change of states of its friends.
Of course the situation must be managed by the manager of the Facebook platform that could also monitor a “cloacking” behaviour of an account blocking it or disabling the re-activation features.

Beware, social media are becoming a paradise for cybercriminals.

Pierluigi Paganini


you might also like

leave a comment