curious_07
Honorary Poster
- Joined
- Oct 23, 2016
- Posts
- 654
- Reaction
- 201
- Points
- 215
Introduction
Facebook is used by nearly a sixth of the world’s population. This large number of Facebook users are vulnerable to information security attacks. According to a statement published by Facebook, the social networking website received 600,000 fraudulent login attempts per day in 2011. This means that every 140 milliseconds, someone attempts to häçk a Facebook account. The blink of the eye usually takes 300-400 milliseconds.
häçking Facebook accounts does not require sophisticated skills. By way of illustration, a simple Google search reveals numerous instructions on how to gain unauthorized access to a Facebook account. Moreover, there are books giving insight on the topic. For example, the book “How häçkers häçk Facebook & Any Pc?” provides “tricks & methods used by häçker’s all around the world to häçk any Facebook account & any Pc”.
häçked Facebook profiles, in combination with user data picked from other sources (e.g., Twitter, LinkedIn, and check-ins), allow criminals to construct a full personal, financial, and behavioral image of their victims that may be further utilized for committing data thefts and other cyber-crimes.
In this article, we examine the most popular methods for häçking Facebook accounts, provide recommendations on how to protect your Facebook account, and discuss the Facebook bug-reporting initiative “Bug Bounty Program.”
The most popular methods for häçking Facebook accounts
In this section, we discuss three commonly used methods for häçking Facebook accounts, namely, häçking software, phishing, and botnet attacks. Below, each of these methods is examined in more detail.
häçking software
A search in Google for “Facebook häçking” comes up with millions of links allowing immediate download of häçking software. However, most software applications purported to allow häçking of Facebook accounts contain viruses, Trojans, ransomware, spyware, adware, and other malicious programs. Facebook häçking software can be divided into two categories, namely, (A) online applications and (B) downloadable applications.
Online applications
Online applications usually require their user to insert a link to the targeted account (e.g., You do not have permission to view the full content of this post. Log in or register now.) in an online form. Afterward, such applications perform simple dictionary attacks, i.e., trying a large number of combinations of passwords to see if any of them is correct. Dictionary attacks may succeed with poorly chosen passwords (e.g., qwerty, 123456, and abc123). However, for more complex passwords, dictionary attacks are unlikely to be successful. Nevertheless, many websites argue otherwise. For example, www.facebookhäçks.net states as follows: “It is a mathematical certainty that bruteforce attempts will eventually get the correct one as there are only a set number of different letters and numbers the password could be. It is simply a matter of time, which is why more complex passes take longer.”
Downloadable applications
In most cases, downloadable applications exploit the “remember me” functionality which allows a Facebook user to access Facebook without re-entering his/her Facebook credentials every time he/she would like to login to the social network. Downloadable applications are usually able to decrypt encrypted Facebook passwords. It should be noted that some downloadable applications for decrypting Facebook passwords are legitimate software which official purpose is to allow Facebook users to recover forgotten Facebook passwords. For example, Elcomsoft, a Moscow-based company, developed a software application called Facebook Password Extractor (FPE). FPE is capable of extracting and decrypting Facebook passwords which are stored by using the “Remember me” functionality. Although the terms of use document governing FPE states that the application is designed for legal purposes, the application may be used by fraudsters for malicious purposes.
Phishing
Facebook is a target of numerous phishing-based scams. The most popular techniques include: (A) creating fake but legitimate-looking Facebook pages which lure victims to submit their login credentials to criminals; (B) sending a bogus warning message stating that the recipient of the message has violated Facebook policies; and (C) creating fake “Like” and “Share” buttons.
Fake Facebook pages
By sending links to fake Facebook pages, crooks intend to mislead their victims into believing that, if they insert their Facebook credentials, they will access Facebook profiles. In fact, the victims will send their credentials to fraudsters who may sell them or use them for committing crimes.
Bogus warning messages
Fraudsters may send bogus warning messages to their victims. The messages, purported to be sent by Facebook, Inc., claim that potential victims’ accounts violated various Facebook legal documents (e.g., Terms of Service and Privacy Policy). Furthermore, the messages state that the recipients can avoid the deletion of their accounts if they insert their Facebook credentials in an online form. Once the recipients insert their credentials, they will be sent to the organizers of the scam and used for malicious purposes.
Fake “Like” and “Share” buttons
Another popular phishing scheme is the insertion of fake Facebook “Like” and “Share” buttons in websites. When the user clicks on one of those buttons, he will be redirected to a fake Facebook login page where he/she will be requested to submit valid login credentials.
Botnet attacks
Facebook Botnets are groups of compromised Facebook accounts which are controlled by attackers. Such botnets are used by häçkers to send malicious links to a large number of Facebook users. The individuals controlling botnets are called bot herders. One can become a bot herder by purchasing or renting a botnet. It is worth mentioning that, on the black market, Facebook botnets are considered a precious commodity. A small botnet consisting of about 50 compromised computers costs around USD 250 – USD 500. Botnets usually conduct one of the following five types of attacks: (A) Hashtag hijacking; (B) Spray and pray; (C) Retweet storm; and (D) Click/Like Farming. Their description follows.
Hashtag hijacking
A hashtag can be defined as a label or metadata tag which allows users of social networks to find easily messages related to a specific theme. A hashtag looks like this: #InfoSecInstitute. Botnets can distribute a vast amount of unsolicited messages by appropriating organization-specific hashtags. Trend-jacking is a popular form of hashtag hijacking that is conducted by sending unsolicited messages using hashtags related to the current top trends.
Spray and pray
“Spray and pray” attack is performed by posting as many links as possible. Although the messages are sent automatically, their content is different. This prevents the activation of the spam checking mechanisms employed by Facebook.
Retweet storm
A retweet storm is an attack whereby one compromised Facebook account (the so-called “martyr account”) posts a malicious message and a large number of other Facebook accounts share the posted messages. In case the account which posted the malicious message is banned by Facebook, the other accounts may be able to spread the message further.
Click/Like Farming
Botnets can also be used to “like” and “share” legitimate content. In such cases, the owners of the legitimate content are not aware that their content is advertised by using compromised computers.
Recommendations on how to protect your Facebook account
Below, we provide a list of security practices which will significantly decrease the chance of successful attacks on your Facebook account.
(A) Do not use “remember me” functionality allowing Facebook to store your credentials on your computer.
(B) Carefully inspect any emails purporting to be sent by Facebook. Immediately disregard such emails if: (i) they do not come from email addresses which end at “facebook.com” and “fb.com”, or (ii) they contain links to email addresses which do not end at “facebook.com” and “fb.com”. Please note that scammers may send you malicious messages from emails ending at “facebook.com.” This can be done by using a technique called “email spoofing.” Therefore, the most secure way to identify a malicious email purported to be sent by Facebook is to send a copy of the message to the Facebook Help Centre. In this regard, the following excerpt from the webpage of the Facebook Help Centre may be helpful: “If you think you’ve received a phishing email, please forward it to phish@fb.com. While we can’t respond to every report we receive, we’ll use the information you provide to investigate the issue and take action if possible.”
(C) Use a strong password. If you use a weak password, your Facebook account can be häçked with a simple dictionary attack.
(D) Log out from your Facebook account before leaving your computer. By doing so, you will destroy the cøøkíés which may be used to häçk your account.
(E) Install an up-to-date anti-virus program. Thus, you will decrease the chance of becoming a part of a botnet.
Credits to: Rasa Juzenaite (author)
Facebook is used by nearly a sixth of the world’s population. This large number of Facebook users are vulnerable to information security attacks. According to a statement published by Facebook, the social networking website received 600,000 fraudulent login attempts per day in 2011. This means that every 140 milliseconds, someone attempts to häçk a Facebook account. The blink of the eye usually takes 300-400 milliseconds.
häçking Facebook accounts does not require sophisticated skills. By way of illustration, a simple Google search reveals numerous instructions on how to gain unauthorized access to a Facebook account. Moreover, there are books giving insight on the topic. For example, the book “How häçkers häçk Facebook & Any Pc?” provides “tricks & methods used by häçker’s all around the world to häçk any Facebook account & any Pc”.
häçked Facebook profiles, in combination with user data picked from other sources (e.g., Twitter, LinkedIn, and check-ins), allow criminals to construct a full personal, financial, and behavioral image of their victims that may be further utilized for committing data thefts and other cyber-crimes.
In this article, we examine the most popular methods for häçking Facebook accounts, provide recommendations on how to protect your Facebook account, and discuss the Facebook bug-reporting initiative “Bug Bounty Program.”
The most popular methods for häçking Facebook accounts
In this section, we discuss three commonly used methods for häçking Facebook accounts, namely, häçking software, phishing, and botnet attacks. Below, each of these methods is examined in more detail.
häçking software
A search in Google for “Facebook häçking” comes up with millions of links allowing immediate download of häçking software. However, most software applications purported to allow häçking of Facebook accounts contain viruses, Trojans, ransomware, spyware, adware, and other malicious programs. Facebook häçking software can be divided into two categories, namely, (A) online applications and (B) downloadable applications.
Online applications
Online applications usually require their user to insert a link to the targeted account (e.g., You do not have permission to view the full content of this post. Log in or register now.) in an online form. Afterward, such applications perform simple dictionary attacks, i.e., trying a large number of combinations of passwords to see if any of them is correct. Dictionary attacks may succeed with poorly chosen passwords (e.g., qwerty, 123456, and abc123). However, for more complex passwords, dictionary attacks are unlikely to be successful. Nevertheless, many websites argue otherwise. For example, www.facebookhäçks.net states as follows: “It is a mathematical certainty that bruteforce attempts will eventually get the correct one as there are only a set number of different letters and numbers the password could be. It is simply a matter of time, which is why more complex passes take longer.”
Downloadable applications
In most cases, downloadable applications exploit the “remember me” functionality which allows a Facebook user to access Facebook without re-entering his/her Facebook credentials every time he/she would like to login to the social network. Downloadable applications are usually able to decrypt encrypted Facebook passwords. It should be noted that some downloadable applications for decrypting Facebook passwords are legitimate software which official purpose is to allow Facebook users to recover forgotten Facebook passwords. For example, Elcomsoft, a Moscow-based company, developed a software application called Facebook Password Extractor (FPE). FPE is capable of extracting and decrypting Facebook passwords which are stored by using the “Remember me” functionality. Although the terms of use document governing FPE states that the application is designed for legal purposes, the application may be used by fraudsters for malicious purposes.
Phishing
Facebook is a target of numerous phishing-based scams. The most popular techniques include: (A) creating fake but legitimate-looking Facebook pages which lure victims to submit their login credentials to criminals; (B) sending a bogus warning message stating that the recipient of the message has violated Facebook policies; and (C) creating fake “Like” and “Share” buttons.
Fake Facebook pages
By sending links to fake Facebook pages, crooks intend to mislead their victims into believing that, if they insert their Facebook credentials, they will access Facebook profiles. In fact, the victims will send their credentials to fraudsters who may sell them or use them for committing crimes.
Bogus warning messages
Fraudsters may send bogus warning messages to their victims. The messages, purported to be sent by Facebook, Inc., claim that potential victims’ accounts violated various Facebook legal documents (e.g., Terms of Service and Privacy Policy). Furthermore, the messages state that the recipients can avoid the deletion of their accounts if they insert their Facebook credentials in an online form. Once the recipients insert their credentials, they will be sent to the organizers of the scam and used for malicious purposes.
Fake “Like” and “Share” buttons
Another popular phishing scheme is the insertion of fake Facebook “Like” and “Share” buttons in websites. When the user clicks on one of those buttons, he will be redirected to a fake Facebook login page where he/she will be requested to submit valid login credentials.
Botnet attacks
Facebook Botnets are groups of compromised Facebook accounts which are controlled by attackers. Such botnets are used by häçkers to send malicious links to a large number of Facebook users. The individuals controlling botnets are called bot herders. One can become a bot herder by purchasing or renting a botnet. It is worth mentioning that, on the black market, Facebook botnets are considered a precious commodity. A small botnet consisting of about 50 compromised computers costs around USD 250 – USD 500. Botnets usually conduct one of the following five types of attacks: (A) Hashtag hijacking; (B) Spray and pray; (C) Retweet storm; and (D) Click/Like Farming. Their description follows.
Hashtag hijacking
A hashtag can be defined as a label or metadata tag which allows users of social networks to find easily messages related to a specific theme. A hashtag looks like this: #InfoSecInstitute. Botnets can distribute a vast amount of unsolicited messages by appropriating organization-specific hashtags. Trend-jacking is a popular form of hashtag hijacking that is conducted by sending unsolicited messages using hashtags related to the current top trends.
Spray and pray
“Spray and pray” attack is performed by posting as many links as possible. Although the messages are sent automatically, their content is different. This prevents the activation of the spam checking mechanisms employed by Facebook.
Retweet storm
A retweet storm is an attack whereby one compromised Facebook account (the so-called “martyr account”) posts a malicious message and a large number of other Facebook accounts share the posted messages. In case the account which posted the malicious message is banned by Facebook, the other accounts may be able to spread the message further.
Click/Like Farming
Botnets can also be used to “like” and “share” legitimate content. In such cases, the owners of the legitimate content are not aware that their content is advertised by using compromised computers.
Recommendations on how to protect your Facebook account
Below, we provide a list of security practices which will significantly decrease the chance of successful attacks on your Facebook account.
(A) Do not use “remember me” functionality allowing Facebook to store your credentials on your computer.
(B) Carefully inspect any emails purporting to be sent by Facebook. Immediately disregard such emails if: (i) they do not come from email addresses which end at “facebook.com” and “fb.com”, or (ii) they contain links to email addresses which do not end at “facebook.com” and “fb.com”. Please note that scammers may send you malicious messages from emails ending at “facebook.com.” This can be done by using a technique called “email spoofing.” Therefore, the most secure way to identify a malicious email purported to be sent by Facebook is to send a copy of the message to the Facebook Help Centre. In this regard, the following excerpt from the webpage of the Facebook Help Centre may be helpful: “If you think you’ve received a phishing email, please forward it to phish@fb.com. While we can’t respond to every report we receive, we’ll use the information you provide to investigate the issue and take action if possible.”
(C) Use a strong password. If you use a weak password, your Facebook account can be häçked with a simple dictionary attack.
(D) Log out from your Facebook account before leaving your computer. By doing so, you will destroy the cøøkíés which may be used to häçk your account.
(E) Install an up-to-date anti-virus program. Thus, you will decrease the chance of becoming a part of a botnet.
Credits to: Rasa Juzenaite (author)
