Everything you need to know about a little app called FBStalker

It’s no secret that Facebook’s been busy whittling away the privacy you previously enjoyed within the site. That’s the deal we’ve made to continue being users, but every so often the scourge of a new feature or policy update sends us heading for our account settings, madly trying to understand how to protect ourselves. 

That, or you give up, give in, and give it all over to Facebook. 

The latest launch that has made it easier than ever to dig into your personal data is Graph Search. Though fun and incredibly revealing (for better or worse), we haven’t totally understood the potential and magnitude of this tool – until now. A little something called FBStalker has been developed, and it can find out what your weaknesses are and how to exploit them, all using Graph Search as well as information culled from your friends. 

If that doesn’t scare you just a little, it should. Here’s what you need to know. 

The FBStalker tool primarily uses Facebook’s Graph Search to gather data, but mostly uses the information you share on your friends’ Timelines.

If you haven’t realized by now how powerful (and potentially invasive) Facebook’s built-in search mechanism is, then that’s your main problem right there. We can’t stress this enough, but you really should be careful about the stuff you share on social media sites like Facebook – especially now that an important function that allows you to keep your account from being searchable has been permanently shuttered.

FBStalker is a Python script developed by Keith Lee, a Singapore-based analyst for Trustwave, a company that protects data and prevents security risks for their clients. It works by using the information readily available not just on your profile, but your friends’ as well. From that data, the tool can analyze interactions between users and infer a list of your close friends from the likes, comments, tags, and check-ins you post on other people’s pages.

The FBStalker tool was developed to help clients test their own security settings.

While the description of the tool may sound horrifying, the company that developed it actually use it for good. “[We] conducted a phishing campaign with FBStalker by just using email,” shares Jonathan Werrett, Managing Consultant for Trustwave based in Hong Kong, also the co-researcher and consultant for the project. “The company we were working with wanted to know where their security was weakest. Through FBStalker, we were able to identity that an employee’s wife (through associations) had ‘liked’ a specific pilates studio in the area. We were then able to determine that she owned the pilates studio, which gave us a great topic to start talking with her via email.  The goal was to see if she would open an email on the topic, which could then be a malicious document.”

According to a news report, Trustwave sent an email containing a video, which the wife opened. The attachment unleashed malware onto her computer, which incidentally contained passwords left there by its previous owner, her husband (who hired Trustwave). The malware successfully infected the computer and gave Trustwave complete access to these passwords.

“Traditionally, hackers have used ‘phishing’ email attacks based around generic topics to try and get a victim’s interest,” explains Werrett. “They use these topics with the aim of getting the victim to click on a link or open a malicious payload. We’ve seen phishing attacks in the wild use topics about technologies, news sources people at a specific company would be interested in, or subject lines like ‘Company Payroll Details for September’.”

Werrett also points out that most social media sites provide “open source intelligence” that may potentially be used by hackers to craft very specific “spear-fishing” attacks, similar to the earlier pilates example.

FBStalker has the ability to expose all sorts of pertinent open source intelligence you previously thought was insignificant.

Any online attacker on a mission can use Facebook as a resource for pretending to know a lot about you, thereby encouraging you to open yourself up to hacking. As a preemptive measure, FBStalker is able to use the information on your Timeline to find out what time of day you usually post on Facebook and are most active on the site – this is often tied to the time you spend answering emails or instant messages, a part of your routine that may prove useful for scammers to target you via online correspondence.

FBStalker can also find out what type of mobile device you use, based on the applications you have used within the social site. Additionally, they can also find out where you are based on the geo-location data your phone attaches to some of your Timeline activity. This can potentially lead hackers to finding out how often you are at a certain place and roughly at what time. People can learn about your work schedule and piece together your entire day-to-day. They can set up shop at one of your regular hangouts and create what Werrett calls an “evil wireless hotspot,” designed to capture account credentials or other sensitive data when specific victims connect to it.

All that information, just from your smartphone and your Facebook account.

Even when you think your privacy settings are top-notch, as long as you give your friends list access to your content, you’re vulnerable.

You know the adage “A chain is only as strong as its weakest link”? It very much applies to Facebook security – even if you have completely locked down your Facebook profile, the one thing you can’t protect is your Facebook profile photo. Friends often comment on your new profile photo or click ‘like.’ “This type of activity can be captured and analyzed by FBStalker and helps to ‘reverse engineer’ your Facebook friends,” says Werrett. Once FBStalker knows who your friends are, it can find out even more about you.

Trustwave also developed a similar tool called GeoStalker – which is exactly what it sounds like.

GeoStalker analyzes content posted on Foursquare, Flickr, Instagram, and Twitter – basically any social site that may contain geo-location information. The tool locates these posts and plots them on a Google map, allowing one of Trustwave’s testers to gauge online activity in specific areas.

After GeoStalker finds the accounts of people who have posted from a specific location, the tool cross-correlates this data with other social sites like Youtube, Google+, Linkedin, Facebook, Twitter, Instagram, and Flickr to find more accounts that can be connected to the users.

“We were hired by a utility client to test the physical security of an industrial site and see if we would be able to access their control networks,” Werrett recounts. “With Geostalker, Trustwave identified a social media account that was posting a lot of photos while at the location and it turned out to be a staff member. Trustwave then conducted a phishing attack to try to get the target to open up an email which would have given us access to the company’s information or network.”

Although Trustwave primarily designed the tool to help the user search for the social media accounts of people that work at a particular location, it reveals a much bigger issue: It may not be a good idea to tag your location all the time on your Instagram posts, after all. And seriously, everyone needs to stop checking into their places of residence and labeling it “my crib.” You are asking to be robbed, or worse. 

Whatever you and your friends post on Facebook may (and probably will) be used against you.

Seriously, if there was one lesson to take home from all this, it’s to be extra-wary about what you and your friends are posting on Facebook (as well as other social media sites – and yes, we’re saying it again). Locking down your privacy settings shouldn’t be the only step you take to ensure your information’s safety.

Trustwave also recommends that you be careful of who you accept as contacts on these sites and that you alert your more online-active friends who leave their profiles public to the fact that they are not only putting their privacy at risk, but yours as well. Lastly, disable location access within the social media applications you use on your mobile devices.

For now, only users with Linux machines can use the FBStalker tool.

However, since its release last week, members of the developer community have reached out to the team and are interested in trying to port the tools over to Windows. Until then, you’re limited to a Linux-supporting PC and some general coding know-how (Python experience will help). We had a programmer look at the script, and he saw that while anyone can head to Github and download the script, they’ll be prompted for a user password before analyzing a profile. This means that all you’ll need to perform a scan on anyone is a Facebook log-in.

At least for now; who knows if Trustwave will develop it into a program that scans all profiles, whether you have a Facebook account or not. Or, scarier yet, now that the code is out there, anyone can build an even more efficient tool using more sophisticated and privacy-breaking technology. All FBStalker does is automate Graph Search queries using information that’s already set to public to begin with, but considering people’s usually lax regard for notifications, tags, and fine prints, this type of data is definitely cybercrime fodder. Bottom line: just because the good guys developed this tool first (or at least announced it) doesn’t mean the scammers out there aren’t doing the exact same thing.

Get our Top Stories delivered to your inbox: