Beware, online 'friends' may be strangers

The fake profile ruse seems simple enough, but takes a lot of careful planning, and could expose victims to malicious software.
Photo: The New Paper

Two weeks ago, I received a Facebook friend request from "Kevin".

I recognised the profile picture. Kevin trains in the Brazilian martial art of capoeira with me at Bantus Capoeira Singapore, and we have been Facebook friends since August 2014.

Clicking though the new profile, I saw that we had four friends in common - all from our capoeira group - and that he had a capoeira-themed cover picture.

Seems legit, I thought. I accepted the request, assuming that perhaps he created a new profile for work or because his old one had been compromised.

After accepting, I immediately messaged Kevin on Facebook.

"why do you have another FB?"

"No clue i just saw it"

"err it's not you then?"

"No"

I immediately unfriended "Kevin", and he reported the fake profile to Facebook.

It was removed soon after.

If we had not been so vigilant, I could have fallen for a social engineering attack by Mr Ryan Flores, a researcher at security software company Trend Micro.

The fake "Kevin" would have sent me a link inviting me to a capoeira event, baiting me to click on it. If this were a genuine attack, this would have exposed me to malicious software.

The fake profile ruse seems simple enough, but it took a lot of careful planning.

Explaining his attack strategy, Mr Flores said: "I took some publicly available photos of Lisabel's friend Kevin, and created a Facebook account with a similar name and some pictures Kevin used before."

To make me more likely to accept the friend request, he first sent requests to our mutual friends and waited until they accepted, before sending me a request.

If he had not been thwarted, "Kevin" would have then sent me a link to a page on bantus-capoeira.com (my group's real site is bantus-sg.com), a domain that Mr Flores registered in order to dupe me.

Fortunately, I know Kevin well enough that I could check with him quickly. If it had been someone I was less familiar with, perhaps someone I knew through work, I would probably have just let the fake profile be.

Mr Flores' backup plan, which he did not have time to execute, was to craft an e-mail pretending to be from the alumni group of my university, University College London, which is listed on both my Facebook and LinkedIn profile pages.

The e-mail would have invited me to an alumni homecoming event, and would have contained a link to a Google Form. Again, if this were a genuine attack, clicking on the link would have exposed me to malicious software.


This article was first published on April 27, 2016.
Get a copy of The Straits Times or go to straitstimes.com for more stories.

No comments yet.
Be the first to post comment.