A group of security researchers has developed a proof-of-concept Java-based tool that could allow malicious individuals to automatize the syphoning of information from a target’s Facebook profile that would otherwise be unaccessible to them.
To do that, the attacker must only create a new Facebook account, and the tool practically does the rest of the work.
The “friending” plugin tries to befriend the target’s friends. Once it has managed to do that, the “cloning” plugin asks the user to choose one of those friends, whose displayed picture and name will be replicated on the newly opened Facebook account.
After that, a friend request is sent to the victim’s account. The less careful targets see the familiar face, the name, and the list of mutual friends, and accept the request.
“As soon as the victim accepts the friend request, the ‘dumper’ starts to save all accessible HTML pages (info, images, tags, etc.) for offline examining,” explain the developers.
Even if the target realizes the scam after a few minutes and un-friends the fake account, the deed is done and the information is stolen, and can be misused to mount spear phishing or other attacks that rely on social engineering to gain a foothold into computer systems.
The tool – called Facebook Pwn – is meant to be a PoC, but since its source code is openly available and the project site contains instructions on how to build additional modules for it, I guess it’s only a matter of time until it’s abused by attackers.