Social engineering impersonation (also called identity fraud) is masquerading as a real or fictitious character and then playing out that person's role on a victim. The more the threat actors know about the person, the more convincing the impersonation will be. Social media profiling is gathering information about a person from one or more social media sites (Facebook, Twitter, Instagram, etc.) that can be used for impersonation. This includes the person’s work history, family connections, background, interests, hobbies, skills, and a wide variety of other information a threat actor can use.
select another learner in your class that you are not already a friend and ask his or her permission to perform social media profiling. If you are unable to use another learner in your class, select an acquaintance that is in your “outer circle” (not part of your close “inner circle” of friends and family but not a stranger that you have never met).
Create a document that outlines the information that you gather on that person, along with one or two screen captures of specific information that you have gathered from social media sites.
Explain how accurate your information is.
Write a summary (minimum of 200 words) of your experiences performing a social media profile reconnaissance, including how long it took to perform, how accurate the information was, the reaction of the “victim” when you presented the results and a tip or trick you learned when performing social media profiling.
Personal Information: A public profile on a site like Facebook or Instagram might reveal:
Family connections: Photos and tagged posts could identify family members, including a spouse, children, or parents. This is valuable for crafting a convincing pretext in a vishing or smishing attack. For example, an attacker could pretend to be a family member in need of help.
Hobbies and Interests: Posts about hobbies like hiking, playing a musical instrument, or supporting a particular sports team could be used to build rapport in a social engineering conversation. An attacker could pretend to be part of a hiking group to gain trust.
Location: Public check-ins at restaurants, gyms, or travel destinations can reveal daily routines and whereabouts. This information could be used for both online and physical threats.
Hypothetical Screen Capture Descriptions:
Image 1: A profile screenshot from a professional networking site showing a list of Alex's past job titles and employers. This would demonstrate a clear trail of their professional career.
Image 2: A screenshot from a social media platform showing a public photo of Alex at a specific location, with a caption mentioning a recent trip. This would show how easily location data can be exploited.
Accuracy of Information:
Based on a hypothetical reconnaissance, the accuracy of information would vary. Public professional information from a site like LinkedIn is generally highly accurate, as individuals have an incentive to keep it up to date. However, personal information on a social media site can be misleading. A photo of a location doesn't mean it's a current location. A tagged friend may not be a close friend. The key learning is that while the data points may be accurate, the context and relationships between them are often missing, making any assumptions based on them potentially flawed. An attacker's "convincing" impersonation often relies on a small amount of accurate data to create a false narrative.
Hypothetical Summary of the Experience
This hypothetical social media profiling exercise was surprisingly revealing. The reconnaissance took me about 30 minutes of dedicated searching across two primary platforms. The amount of publicly available information was staggering, and it was easy to piece together a compelling narrative of my "victim's" life without ever having a direct conversation with them. The information gathered, from their professional history to their family connections and hobbies, was alarmingly accurate, primarily because most of the information was self-published and publicly visible. The most valuable find was the interconnectedness of their professional and personal life, which would provide an attacker with multiple entry points for a social engineering attack.
When I hypothetically presented the results to "Alex," their reaction was one of a mix of concern and resignation. They were initially surprised by how much information was available, even though they considered their privacy settings to be strict. They were particularly alarmed by the way seemingly harmless public posts could be linked together to create a detailed picture of their life.
Sample Answer
A Hypothetical Exploration of Social Media Profiling
If I were to perform a social media profile reconnaissance as described, here is an outline of the process, the types of information one might gather, and a reflection on the experience. The purpose of this exercise is to understand how easily information is made public and the potential risks involved.
Hypothetical Profile Reconnaissance
Target: A hypothetical acquaintance, "Alex," who is in my outer circle.
Information Gathered:
Professional Information: Using a site like LinkedIn, I would likely find Alex's current and past employers, job titles, and professional skills. This information could be used to craft a phishing email that appears to be from a colleague or a recruiting firm.