Spam Loophole In Social Media Sites And How To Exploit It

[vailixi]

I thought this might be a good topic for discussion.

I had wondered how hard it would be add a bunch of people I didn't know to facebook or LinkedIn. I had noticed when I signed up for some social media sites that there is an option to import contacts from your email contact list. While it's illegal to send spam emails I don't think it's illegal to use the email addresses to add friends on facebook. So basically if you wanted to find a bunch of people from a company or a school on LinkedIn or facebook you could pretty much use a method like this in social engineering or phishing on social media. Once again I'm not totally sure on the legality of doing this but I figure it is worth a discussion.

Steps: Get the email list I figured a guy could pretty much hit up pastebin and create an email list for any organization he wanted to target. Grep out the email address and sort them for uniqueness. Also sort out domain names or domain extenssions you don't want like .gov or .mil addresses. You probably wouldn't want to accidentally spam or phish them. Split the lists into sections smaller than the maximum allowed limit. I think gmail it's 3000 or 5000. Forgot it. split them into 2500 line text files.

Then convert the text file into CSV with a program kinda like this. I wrote this pretty hastily. Just opens up a file and writes a csv header with the correct fomat for gmail. Make sure to get the number of commas right. You can do this with Yahoo! and other free email services. There are some security measures against it. Then import the email list into your contacts as a CSV. Then add friends on social media sites from your contact list. That simple. Here's a link to the blog post I wrote about it. http://codeexamplescplusplus.blogspot.com/2016/10/csv-maker-c.html

Here's some hasty C++ for the CSV maker. My code is shit just to let you know in advance.

//application to sort email addresses and put them into a CSV for use with gmail.
#include <string>
#include <sstream>
#include <iostream>
#include <cctype>
#include <fstream>
#include <iomanip>
using namespace std;

int main (int argc, char* argv[])
{

//build command line statement from string variables

{ofstream myfile;
myfile.open ("/root/Desktop/emails.csv");

{ string line; ifstream infile ("/root/file.txt");

//input the layout information for CSV file
myfile << "Name,Given Name,Additional Name,Family Name,Yomi Name,Given Name Yomi,Additional Name Yomi,Family Name Yomi,Name Prefix,Name Suffix,Initials,Nickname,Short Name,Maiden Name,Birthday,Gender,Location,Billing Information,Directory Server,Mileage,Occupation,Hobby,Sensitivity,Priority,Subject,Notes,Group Membership,E-mail 1 - Type,E-mail 1 - Value,E-mail 2 - Type,E-mail 2 - Value" << endl;

if (infile.is_open())

{ while ( getline (infile,line) )
//output conacts to contact list. Comas delimit contact information fields.
myfile << ",,,,,,,,,,,,,,,,,,,,,,,,,,,* ," << line << ",," << endl;

infile.close();

myfile.close();
} else cout << "Unable to open file" << endl;
}
}

return 0; }

 

Edited October 30, 2016 by vailixi

[digininja]

Don't know about Facebook but linked in would still require them to accept the invite. There may also be a limit to the number you can import.

[vailixi]

Faceboo users also have to accept the invite. So it would be like any kind of grey hat internet marketing campaign with success rates measured in percentages. So it's like dynamite fishing. Rather dynamite phishing.

I know facebook only lets you have a maximum of 5000 friends per account and there is a maximum number of contacts you can have in gmail. The account used to add all of the friends may or may not get reported.

 

Edited October 31, 2016 by vailixi

[digip]

In a way I guess you could call this people fishing, in the sense that say you wanted to know if someone's email was used on a social network like FB or LinkedIn but didn't know their actual accounts associated with the email/network handel/nickname, if they accept the request for FB or LinkedIn  and blindly accepted without knowing you, you'd manage to find the account associated with it. Compiling a wordlist for names and associated with common email domains might make for an interesting test result, such as finding celebrity accounts and other famous people.

I wonder though, does it show a decline under the request as well? Also, does it show a not found if there is none? If a decline came back, this in theory should at least help identify that email is associated with an account, although I don't know if they show this type of response, or if any, where declined or not found, show the same message..Not sure the how networks would treat this either, say, importing 10,000 emails to try against..lol. Someone has probably done some sort of research on the topic, although I've never given it much thought till seeing your thread, we can't be the only ones thinking about it now.

[vailixi]

Actually yeah. You could probably create a list of emails with just the most common first names and last names and just create the emails like bob.holmes, bobholmes, or holmes.bob then append the domain at the end. Like the top 100 email providers like mail.ru, gmail.com, yahoo.com, etc. Then see if there is an email account associated with it. Or you could just create the email list and write a script to run searches on Google and Pipl for accounts. Then you could pretty much create an internet phone book of virtually everyone who uses those email services and has a common name.

Like a d0xxing engine. That would be kinda cool. Really doesn't sound that hard to do either.

[digininja]

Does linked in or Facebook tell you which were accepted or rejected when you do the import? If not then you are just feeding a list in and hoping that people accept the request.

[digip]

I don;t use facebook, but if your friends list suddenly grew with new users, I'm sure you'd find out quickly who is who. A 100 name spray nabbing 50 users might be hard to correlate though unless they give you some sort of verification per email.

[digininja]

ye, they would have to accept the requests, just an upload won't tell you (I don't think) which are in the system and which aren't.