Social engineering has for a while now been cyber attackers’ best bet to enter systems and compromise accounts when actual hacking doesn’t work, or when they simply don’t want to waste much time getting in.
At this year’s edition of Hack In The Box Conference in Kuala Lumpur, Ruhr University Bochum researcher Ashar Javad’s demonstrated the possibilities offered by Facebook’s “Lost my password” / trusted friends feature. His rather extensive presentation also contained a section on several attack vectors related to social networks that should be impossible to use by now.
He created a fake account (the victim) on a number of different social networks and tried to get customer support representatives to give the attacker (in this case him) full access to the victim’s account. He attempted this by sending them an e-mail from a totally different email address than the one with which he registered the account in the first place.