3 Ways Facebook Hackers Target Your Account

Chris Dougherty
Virtual Threat Contributing Writer

Facebook accounts are an often overlooked gateway into an individual’s personal life.   We, as social networking users, have few reservations about posting our photos, location, plans to travel, private outbursts, and information regarding friends, family and work.  We include names, phone numbers, email addresses, GPS coordinates and the list goes on and on.  But you ask “What’s to worry?  After all, I am only posting this information for friends and family to see, right?”.  The simple answer is no. Facebook hackers want your information.

The truth is that many of your friends’ and family’s accounts are being hacked every day.  By successfully compromising your Facebook account an attacker has unlimited access to a wealth of information about you, your friends and your family.  In addition, if a hacker gets your Facebook password, I think it’s reasonable to assume that he could then take over your email accounts, bank accounts, and other private information as well.  The following 3 Methods of Facebook Hacking are something that everyone should make themselves aware of.  When you have learned the attacker’s methods you can begin to protect the information that you so freely give out on the internet.

1. Social Engineering:
Generally the first thing a hacker will do is to find a way directly to your inner circle.  One way an attacker might start is by  ”friending” some of your closest friends, family and coworkers on Facebook.   Once enough mutual “friends” are built up, they will eventually work their way up to sending you a friend request.  It may appear to come from a name that you know, or perhaps some curious account with a hot profile picture to grab your attention.  Either way, you look at all the mutual friends list and you click “Confirm” on the friend request, allowing the attacker access to a gold mine of information.Once the attacker is on your “friends” list he can see all of your photos,  friends and family that you talk to the most, your daily activities and more.  In addition, he may be able to access your email address, phone number, the schools you went to, and where you currently work.

Armed with this information the hacker can now move on to the next level of attack, attempting to access your login details and other private information.The lesson to be learned here is “Don’t accept friends requests unless you’re darned sure you actually know the person on the other end”.  Either confirm the friend request by phone, by sending a private Facebook message asking for some specific details, or by only adding friends where you have initiated the friend request.

2. Brute Force:
Once the hacker has gained access to the names of your cats and dogs, children’s names, birthdays, etc he will begin the process to brute force your Facebook password.  This means he will make repeated attempts to log in to your account using a list of words and variations taken from the information you post to your account.  If the information gleaned from your profile, posts and photos does not yield a hit, he will move on using automated applications and dictionary files to attempt to crack the password.  There are a bunch of tools that claim to do this automatically, one only has to perform a quick Google search to find a page full of options.

A potential user of brute force applications can find unlimited tutorials on sites like YouTube.  With the availability of tools like this, I suspect anyone with a keyboard has the potential to get your password if you aren’t careful.  However, if you use long passwords, consisting of numbers, upper and lower case letters plus a special character (e.g.- %,$,!,@), I think you should be a bit safer from these brute force types of attacks.

3. Phishing:
According to Wikipedia, “Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.”In layman terms this means phishing is the act of a hacker creating a clone of a well known website login page, such as Facebook or your bank, with the hopes of tricking you into inputting your username and password on the page.   Once you type your information into the login form, and click the submit button, your name and password are added to a database or sent to a fake email address controlled by the hacker.

A hacker can use any of several methods to grab your Facebook information through phishing techniques.  The easiest way is to create a fake Facebook login page, put it on a free hosting service and then send you an email or Facebook post with a link to the page.  The problem with this method is the fact that the domain name in the link and your browser address bar should be a dead giveaway as shown in the image above.

Another, more popular method is to use a technique called “tab nabbing“.  Tab nabbing is an exploit where an attacker sends you a link to a regular looking web page such as a game or a video.  When you switch to another tab in your browser, the original page does a quick refresh to a fake Facebook, bank or email login page.  The tab-nabbing exploit takes advantage of user trust and inattention to detail in regard to tabs.  Many internet users don’t bother to look at the URL of a tab they’ve already been on.  Here is a video example showing how a simple tab-nabbing attack works.

When attempting to compromise the account of a more experienced internet user, hackers may utilize a combination of tools for a more sophisticated attack. Some of these tools include ettercap and the Social Engineer Toolkit’s Credential Harvester.  With this type of attack the hacker can manipulate your DNSconfiguration, the service that translates domain names to IP addresses.  Once your DNS has been changed all of your internet requests to www.facebook.com will go to a server under the attacker’s control.  This type of attack is very difficult to identify because the actual domain name Facebook.com will appear in your internet browser address bar.

6 Simple Steps To Keep Your Account Safe:

• When logging in to your Facebook account, always double check the URL in your browser’s address bar
• Use long, complicated passwords that utilize upper and lower case letters, numbers, and special characters
• Do not post personal information to your Facebook profile (e.g.- phone numbers, email address, etc)
• Review and adjust your privacy settings, in both your browser and your Facebook account, on a regular basis
• Only allow people on your “Friends” list that you have personally sent a friend request to, do not accept blind requests!
• If you do accept a friend request from someone, make certain that you have verified the person on the other end using some other means.

The internet brings convenience, business growth, and the opportunity to share your thoughts and memories with friends and family.  It also allows an attacker unlimited access to your life and private information.  By following a few simple guidelines, you can keep yourself  a bit safer on social networking sites like Facebook.com:

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.