FBPwn is a social engineering tool which saves all useful information from a victims Facebook profile. FBPwn works by adding all the friends from the friend list of the victim and then “cloning” a profile from that list, it is likely that the victim will accept due to the high amount of mutual friends and the name. This is when FBPwn really gets into action, saving all the HTML from the added friend which the developers say includes “info, images, tags”.
The potentially creepy tool is just a “proof of concept (PoC) to make the world aware of the social engineering techniques used in the underworld”, according to the creator who works in an IT security team. Adding “use it on your own risk and please do not abuse!”
The tool highlights how easy it is for totally strangers to socially engineer information out of users. Since most users rightly trust the name and mutual friends count to be true. The developers say “after a a few minutes, probably the victim will unfriend the fake account after he/she figures out it’s a fake, but probably it’s too late!”
In a full disclosure detailing reasons for releasing the project Ahmed Saafan, project owner, said “I have taken a significant amount of time thinking about releasing the program or not for the same reasons that everybody is discussing, abuse.”
In one part of a reason, Saafan said “accepting friend requests for even the smallest period of time without manually verifying that the friend is actually who he claims to be, is an example of wrong actions that we wanted to demonstrate”.
Two steps that users can do to avoid being a target is setting the friends list to private and using lists to filter new friends into a high privacy list. To use the second list technique, create a new list for new friends, such as, “new friends”. Then go to the privacy settings and block the “new friends” lists from aspects of your profile on the new friends lists. When you trust the new friend you added, add them to a relevant list such as “work friends”.
Of course, one of the best ways users can protect themselves is to only add information they are comfortable sharing with the public on their profile.