Mining Mary’s Social Media Antics for Social Engineering

Let’s talk about Mary.

twitter girl.png

Mary Watson is a girl in her twenties and just graduated from Midtown University with her bachelors in Fashion Merchandising.

Mary is now looking for her very first “big girl” job. Everyone warns her about her reckless Facebook activity and how that might ruin her chances at a new job in the fashion industry. She recalls party photos she is tagged in, The Lonely Island YouTube videos she shared, and controversial topics about what color the dress was and Kony 2012 she posted. She is now worried.

dress.jpg

Mary is smart though. She sets her Facebook privacy from “Public” to “Friends” so that only her connections can view her profile. She also changes her name on Facebook from “Mary Watson” to “Mary Jane” thinking she is so clever by using her middle name instead of her last name. “Future employers can’t find my Facebook now,” she says to herself. Mary successfully lands a job at Marvel Fashions.

facebook.jpg

Two years later, the newly married Mary Parker is still at Marvel Fashions. The company decides to hire Black Hills Information Security for their services. BHIS’s intern, Harold Osborn (Harry for short), is assigned to this project. Harry calls Marvel Fashions’s IT department with a girly voice and impersonates Mary. The people at IT answer.

“Marvel Fashions, Flash Thompson speaking.”

“Hi,” Harry’s voice goes up an octave. “I’m Mary Parker, and I forgot my password to the system. Silly me.”

“I’m sorry, Ms. Parker, but I can’t just give that to you. I’m going to need some information from you before I can do that.”

“Of course. What kind of information do you need, Flash?” Harry flirts.

“Your birthday and your mother’s maiden name.”

Harry hangs up the phone. It’s time to do some searching.

linkedin.jpg

The easiest stop, Facebook. Harry searches the name “Mary Parker”. However, no profiles are returned. Harry redirects to LinkedIn. He accesses Marvel Fashions’ profile, finds the list of employees, and searches for “Mary Parker”. The profile appears with a photo of a woman with rich brown hair and dark hazel eyes. He now has a face for the name.

Harry moves back to Facebook and again searches the name “Mary Parker” again. Still no results. He resorts to Google and searches her name there.

The-Knot-Wedding-Network.png

The second link returned is to the website The Knot with a wedding page for the marriage of “Peter Benjamin Parker and Mary Jane Watson” from a year ago.

“Perfect!” Harry thinks to himself. He returns to Facebook and now searches for “Mary Jane”. The first profile that appears is the rich brown-headed Mary he’s looking for. However, Mary was smart all those years ago, and there isn’t  much available to see on her profile. Harry is frustrated as he clicks through her photos. He stops on one picture with a comment from Madeline Garfield Watson, “My daughter is GORGEOUS!!!1!”

Madeline Garfield Watson must be Mary’s mother. Her mother’s maiden name is Garfield. Harry is excited, but he still needs the date of birth.

google.png

Harry returns to Google and searches for “Mary Jane Watson” again. The first link is to Mary’s old Twitter account @maryjane2009*. Harry scrolls through years of tweets, cringing at each hashtag. Finally, he stops at a post from 2012:

Chrissy_twitter.png

That’s her 21st birthday. Her date of birth is June 19, 1991.

twitter.png

Harry calls Marvel Fashions’s IT department in the girlish voice again and provides them with the new information.

Harry gets Mary’s password. Mary wasn’t as smart as she thought she was.

blogchainn.png

Mary’s story is fiction (and there’s no one named Harry at BHIS…. or is there?) but like the best kind of fiction it’s not hypothetical. This kind of social engineering and research happens during actual phishing attempts. You can avoid being the target of this kind of predicament. Start by restricting what you put on social media networks, always being aware that once it’s online, it’s online forever. You can mitigate the risk by also deleting accounts and sites you no longer use. Harry managed to find Mary’s middle name through The Knot (Mary’s wedding had happened over two years ago when Harry found it). Mary also had a Twitter account that was public, where she carelessly threw around personal details. Had she changed the setting of her account from “Public” to “Protected”, Harry wouldn’t have been able to find her birthday. As for her mother’s maiden name, that was something out of Mary’s reach unless she deleted her entire Facebook account or unfriended her mom (which her mom might not have been too happy about). There is a risk with using social media, for most of us the reward of keeping up with distant friends and family far outweighs the risk, but it’s important to realize that risk still exists. Mitigate it by staying mindful, limiting access and keeping very personal details off-line. It makes our job here at BHIS a lot more difficult, and that makes us happy!

_____

*Ironically/not ironically the Twitter account @maryjane2009 is a real, dead account, full of information we gleaned that her birthday is on the 13th, she’s Italian and isn’t from the US, and she’s older than 25. Ahhh….