There are some simple ways to hack Facebook accounts, so users should be wary about what they hand over to Zuckerburg and Co
Facebook accounts are precious things. They contain a surfeit of valuable data that cyber criminals can use to steal money from members’ bank accounts. Now the company has bought Instagram, there will be even more valuable information stored in Facebook lockers.
There are plenty of ways hackers can get hold of Facebook login details too. Using old techniques in new guises, cyber criminals are infiltrating accounts, deciding to use the information for themselves or sell their password cracking skills to others.
On one hacker forum, security firm Imperva found the cost of a hacked account to be just $6. That hacker promised to hand over details in just a couple of days. They know how to market themselves too, it seems.
What’s most disturbing is how anyone with a really basic skill-set can acquire such details. Here’s five techniques below, but remember kids, hacking a Facebook account is illegal.
Going straight for Zuckerburg’s throat
The more skilfull hackers will go for Facebook’s jugular and try to get hold of admin rights. Whilst this offers a much more attractive loot than gaining entry into just a few accounts, the risk is significantly higher. In February, a British computer science student was jailed for eight months for smashing into Facebook’s infrastructure.
“It’s the holy grail of hacking,” Noa Bar-Yosef, Imperva’s senior security strategist, told TechWeekEurope. To get inside the infrastructure, hackers will look for vulnerabilities in Facebook itself, target a specific admin with spear phishing, or even bribe one of them. As the old adage goes, everyone has a price.
One obvious way to get hold of a password is to use brute force. There are a load of GUI tools that can do this now, making it disturbingly simple for anyone to get involved in Facebook hacking. One of these tools is the Facebreak bruteforcer. Another is facebook Brute. Just look at how straightforward the interface is below.
YouTube is regularly filled with tutorials on how to use these GUIs, in case the tools aren’t idiot-proof enough already. “You really do not need to be too much of a hacker,” Bar-Yosef said. “When you’re talking about Facebook hacking, one of the reasons why it has become so popular is that it’s so easy to carry out, because you have all that GUI.” Some of these tools cost nothing, so not only do you not have to be the next Kevin Mitnick, you won’t have to spend a penny.
Phishers are getting awfully talented. Just see below for how much a phishing page looks like the real Facebook login page. Hackers build these fraudulent pages either using basic HTML skills, or by grabbing images from the official sites. Only a handful of vendors provide notification for picking up on excessive scraping of images, so it’s an easy technique for cyber criminals to leverage. Some kits come packaged with a Facebook page too, making it even easier to carry out a phishing attack.
If phishers could get some better URLs that more closely resemble Facebook.com, they would get much better traction from victims. Surely only those with zero security awareness would go to fbaction.net, right? “But if I get an email saying ‘please update your Facebook account because we’ve rolled out new privacy settings’, I’m not even going to look at the URL,” Bar-Yosef said.
Facebook only recently opened up the option to use SSL for communications on the service. It’s not yet default like on Twitter. For those who don’t switch it on, they risk being the victim of man-in-the-middle attacks on open Wi-Fi networks. There are plenty of tools for doing this too, similar to the Firesheep software that sought to hijack Twitter sessions in 2010.
Getting a bit of keylogging malware onto someone’s machine will get hackers the info they want. Hackers use typical methods to get malicious software on people’s machines, including drive-by downloads and social engineering scams, so logins get sent back to command and control (C&C) centres. See below for another GUI tool for managing what’s known as the KGB Keylogger.
There are plenty of other ways to take control of others’ Facebook accounts. There’s data slurping, rogue applications, which can grab different types of data if users are duped into downloading them. Needless to say,
In the above cases, bar brute force attacks, it doesn’t matter how strong a user’s password is. Facebook can’t do much about them either, apart from make HTTPS default rather than just opt-in. So what’s the answer for users? As far as you can, don’t put anything really valuable on Facebook. The more places you store important data online, the greater the attack vector for cyber criminals.
Think you know security? Test yourself with our quiz.