Thursday, November 3, 2016

// //

How to hack facebook account

Yes facebook account can be hacked. But not the way your are thinking it could. For hacking a facebook account an attackers does not target facebook.  It is illegal to perform hacking activities without their permissions unless you are part of the bug bounty program.
Instead of trying to hack a company which spend millions on its security and infrastructure, compromising a victim's computer system is a low hanging fruit. Once the attacker setup keylogger and backdoor on victim's system, all user activities and accounts including email, social networks, banking, etc can be stolen.
All the hacking groups who hacked twitter and facebook accounts of major companies didn't hack into Twitter or Facebook networks. They targeted the employees of those companies and got lucky in compromising the right user who had passwords for those social networks stored in their system.
Attacker goes for users as humans are weekest link to security they can be easily compromised unless they know the hacking tactics themselves.
You won’t be vulnerable to hacking if you understand how hacking works

Why You should learn to hack facebook

There are tons of reasons that why you should learn to hack. As above  quote stated you will not be vulnerable to facebook hacking tactics used by hackers if you know those tactics too.. If you know how a predator prey on his victims then you would probably save yourself.
These are some of the scenarios you could face in the real world

Facts not worth worrying about

  1. You forget to log out of Facebook from a public computer, or you forget to lock the computer screen at work or at home, and someone else besides you, go to that computer and write on your Facebook wall that you've been "hacked". This has nothing to do with hacking at all (it is related to "red teaming" though, except during this type of exercise, getting access to Facebook accounts is not the target and never will be), but it is probably the most commonly seen "hack". This poses no threat to you, except embarrassment in some cases.
  2. A friend who knows your password, logs into your account and writes on your Facebook wall that you've been "hacked". The password was obtained by asking you for it (beginner level of social engineering, except that this case is not really social engineering if you give up the password when asked for it directly), seeing you type it in (shoulder-surfing), or simply guessing what it is (online brute-forcing). This has very little to do with hacking and poses no threat to you, except embarrassment in some cases. In case this happens, reset/recover your password. This is the most common scenario where Facebook accounts are "compromised", but not really compromised.

How your facebook account can be compromised

  1. You receive an email from a non-targeted mass-phishing campaign that prompts you to log into Facebook, or reset your password. This attack is likely to occur, but can be prevented by not falling for phishing tricks;
  2. You use an app on Facebook that compromises your computer. Similar to malvertising. There is close to no protection against this attack, except not using phony looking apps on Facebook. However, your computer could also be compromised through other websites you browse. In cases of malvertising, the attackers are rarely interested in your Facebook account. They would much rather have access to: passport photos (identity theft), bank accounts, processing power (bitcoins), and network resources (other computers to compromise, or to perform DDoS attacks);
  3. You live in a country that performs heavy monitoring on its citizens. In this case, the mobile phone you buy has likely pre-installed government malware on it. The Internet connections are likely monitored as well. There's nothing you can do without educating yourself about computers.
  4. You "root" your mobile phone. This disables almost all safety/security controls making it easier for your mobile phone to get compromised.
  5. An attacker looks at your profile and looks at all the public data that is exposed to anyone on the Internet. Based on this data, the attacker attempts to recover/reset your password, or even guess it. People tend to use very simple passwords. It's unlikely someone will attempt to hack you this way, unless you control a very popular Facebook page or group with at least 10,000, 100,000 or 1,000,000 subscribers/fans;
  6. An attacker befriends you on Facebook, for heterosexual males this could be a "hot" female, and vice versa. The attacker is able to obtain more information as your friend, in case your privacy settings are more strict for "non-friends".

Why Would hacker not want to hack your account

Attackers will generally not be interested in hacking your Facebook account at all (seriously, hackers don't see any value whatsoever in your Facebook account) unless:
  1. You're a well-known celebrity;
  2. You control a Facebook page or group with +100,000 fans/members, preferably 1  to 10 million;
  3. You have an important role in a large company, where you have access to financial transaction data. In case you do have such a role, don't worry as common sense, will likely never get you hacked by the common tricks they use. In case they do compromise your identity including your Facebook account, you will likely not notice.
There are probably a lot more scenarios, but unfortunately I don't have the time to come up with all of them. If you're going to relay this information elsewhere, keep in mind that you need to relay the exact wording or it will otherwise not make sense.

Yes your facebook account can be compromised

May or may not an attacker target your facebook account but your account can be compromised in many ways (i.e. by multiple methods) and it does not take a master hacker to hack it any noob can do. but there's no reason to worry as the adversaries (i.e. unethical hackers) are likely more interested in everything else besides your Facebook account. Let's get to the tutorial.

Reality of online facebook hacker

To the best of my knowledge there is no such tool, you won’t find it anywhere and yeah if you google it, you would find many websites claim that they are providing free hack tool either online or offline but you cannot download it without completing a survey. Even after completing a survey you won’t get anything in the end. These things are posted only in the intention of making money. Don’t waste your precious time in searching such hack tool. If you want to know how hackers could hack someone’s Facebook account, please go ahead and read the techniques listed below.

Phishing a facebook account is like real world fishing

Phishing is still the most popular attack vector used for hacking Facebook accounts. There are variety methods to carry out phishing attack. In a simple phishing attacks a hacker creates a fake log in page which exactly looks like the real Facebook page and then asks the victim to log in. Once the victim log in through the fake page the, the victims "Email Address" and "Password" is stored in to a text file, and the hacker then downloads the text file and gets his hands on the victims credentials.

How phishing works?

In simple words, Phishing is a process of creating a duplicate copy of a reputed website’s page in the intention of stealing user’s password or other sensitive information like credit card details. In our topic, Creating a page which perfectly looks like Facebook login page but in a different URL like fakebook.com or faecbook.com or any URL which pretends to be legit. When a user lands on such a page, he/she might think that is real Facebook login page and asking them to provide their username and password. So the people who do not find phishing page suspicious might enter their username, password and the password information would be sent to the Facebook hacker who created the phishing page, simultaneously the victim would get redirected to original FB page.

Keyloggers are really dangerous malware

The second, and probably most common, is via a keylogger. This is malware placed on the victims computer that records keystrokes and then ideally, sends it back to you. If you have access to the target computer you can manually do it, if not, you will have to find a way to get them to (unknowingly of course) open the keylogger.

Malicious Browser Extensions

This method doesn’t let the hacker / attacker give complete access to your Facebook account but gives some power to control your account indirectly. I’ve seen multiple Google Chrome and Firefox add-ons which hiddenly perform actions like following a person, liking a page on behalf of your Facebook profile.
When you visit some malicious websites or web pages, you will be prompted to install a browser add-on. Once you install the addon, it would perform all the tasks described by hacker or attacker who created it. Most actions are posting status updates on your wall, liking a Facebook page, following a person, adding you to some Facebook groups, inviting your friends to like a page or join a Facebook group etc. You may not know these things happening in your Facebook account except when you check your Facebook activity log periodically.
You can monitor your activities using a Facebook feature called Activity Log. You should not trust any third party websites prompting you to add a browser extension. Install add-ons only if you trust the publisher. Why should you take a risk if you don’t know the publisher or intention of the addon? Stay from those malicious browser extensions.

Malicious facebook apps

All the apps you use in Facebook are owned by the third party and not by Facebook. Of course, there are few exceptions like Instagram. A malicious application which is requesting your permission could do almost all kind of stuff on your Facebook profile.
Whenever you find Login using a Facebook option on any website, you should come to know that it is a third party Facebook application not owned by Facebook. When you click Login using Facebook, you will be shown a permission dialog box with the requested permission details. Once you click okay button, the requested details can be accessed from Facebook or the requested actions can be performed in your Facebook account.

Permissions asked by facebook apps can lead to total hack

They can ask these permissions which is in other words a total control of facebook account
  • Post photos and status update
  • Share link to your timeline or to any group you belong
  • Manage your page
  • Post on behalf of you on the Facebook pages you own
  • Access your personal information
  • Access your photos including “Only me” privacy photos, sometimes they can access your mobile photos using a Facebook vulnerability
These are just examples of what could be done. What if the application you are using is malicious? It could spam your Facebook account with the bunch of worthless content.
You should always be aware of what permissions you give to a Facebook application even though Facebook is reviewing application’s permission requests. Don’t give permission to an application if you don’t trust the website or application.
You can edit the information you give to an application in the permission dialog box (snapshot given above). Also, you can review the applications that have access to your Facebook account here.

SS7 is the most dangerous hacking attack ever

Researchers have proven just that by taking control of a Facebook account with only a phone number and some hacking skills to exploit the SS7 network, a core piece of telecoms infrastructure shown to be vulnerable repeatedly over the last half decade.
The hackers exploit a flaw in the SS7 protocol for hacking Facebook accounts just by knowing a victim’s phone number. The technique allows bypassing any security measure implemented by the giant of the social networks.
SS7 is a set of protocols used in telecommunications ever since the late 1970s, enabling smooth transportation of data without any breaches.The attack method devised by the experts from Positive Technologies works against any service that relies on SMS to verify the user accounts, including Gmail and Twitter,telegram and WhatsApp.

In the case of facebook

The attacker first needs to follow the “Forgot account?” procedure by clicking on a link present in the Facebook homepage. At this point, when asked for a phone number or email address belonging to the target account, the hacker needs to provide the legitimate phone number.
At this point, the attacker can exploit the flaw in the SS7 to hijack the SMS containing a one-time passcode (OTP) that is used to log in the target’s Facebook account.
Hacking a Facebook account ais possible only if users have registered a phone number and have authorized Facebook Texts.

At the End

We will try to keep the article updated. Please provide the response towards the article in the comment section below