If you have an Internet connection, you’re probably on Facebook. Despite this nearly ubiquitous use, it’s still fairly shocking how much information we and the network are willing to surrender. Our phone numbers, identities, interests, home address, email addresses, and other personally identifiable information is sitting in an insecure vault behind an easily crackable password. And if you are a hacker, you’re more than aware of this.
Rob Rachwald, Director of Security and Strategy at Imperva, a security firm in California, revealed to us the many strategies that hackers are using to gain access to your personal information and credit card info, all through Facebook. “In general Facebook is not written to be secure. In fact the purpose of Facebook is to violate your privacy as much as possible. So what you’re doing in essence, you’re getting closer to people through an electronic medium at the expense of divulging information about yourself. That’s their business model.” But Rachwald credits Facebook for avoiding massive data breaches, like the Korean social networking competitor CyWorld that was speculated to have 35 million passwords stolen by the Chinese government. In many instances, Rachwald says, it’s actually the users that are divulging too much information or signing up for different sites, although Facebook is not without fault entirely since its platform is inadvertently hosting malicious activities.
With that in mind, here’s a 101 course on what Facebook hacks and attacks you need to keep an eye out for.
While this is an earlier practice that people would use to make money from, it’s evident it still goes on today. Facebook “friends” would sell images of attractive women, usually found in a user’s public Facebook album, to porn sites or publish them on public forums that would then circulate around the Web and without the users’ consent.
People have gotten smarter these days and are using more sophisticated measures, Rachwald tells me. One trend he’s noticed is hackers that are emulating profile information about an existing user and using that profile to deceive the victim’s friends into befriending them again on Facebook. What this means is that a hacker will create a new profile with the same or similar information about that person, including the profile photo, and “re-friend” all of the victim’s friends. In a matter of a few days, the profile created under misleading pretenses could have access to several hundred friends, while in the background a crawler is downloading all the personal data about these new “friends,” including email addresses, phone number, pictures, and other information.
One instance where this could be a particularly dangerous attack is that these “hackers” could ask the victim’s Facebook friends for money due to financial duress – and they might indulge, given that it appears that the request is coming from the friend.
If you’re in an authoritative position and a hacker wants to target you, organizational mapping is one strategy that professionals should be vigilant of. It’s not only on Facebook, and Rachwald says that it’s more of a threat on LinkedIn. Hackers will find out information about the friends of the victim through Facebook and find out who their best friend is. By assuming the false identity of the victim’s “friend,” the chances are greater that the victim will be comfortable clicking on a link with a virus, malware, or spyware embedded in the opened website. This is especially dangerous for individuals like bankers, politicians, and other authoritative professionals.
A tip for anyone who’s wary of opening up suspicious URLs, even if it is from a friend, a personal favorite that I like to use is VirusTotal.com.
What few of you might realize is that all of the photos that you take on a smartphone with GPS logs the exact location where you’ve taken that photo. So if you’re sharing these images to Facebook or another social network for that matter, and you’ve taken one in front or around your home, I could easily find out where you live. And there are a number of websites that can pull this type of information from your photos in an instant.
How hackers are abusing Facebook
Now specific to Facebook, these are the most popular ways that hackers are abusing Facebook.
Facebook for a long time has supported attachments in Facebook Messenger, and there are no in-app precautionary features that help to detect malware in suspicious attachments. Although users can scan files using Facebook endorsed third-party antivirus software. However a file can only be scanned once the attachment has been downloaded and it would be too late by then.
We’ve all seen this before. False photos of Osama Bin Laden’s death for example, when news first broke, circulated on Facebook. Built using a Facebook app that automatically shared the image to your wall when you clicked on it, some versions of it opened up a porn site. Intriguingly enough, some hackers were using this as an opportunity to improve their SEO ranking in Google’s search results. What would happen was that by baiting Facebook users to click on the Bin Laden photo that opened up a porn site, it would improve the site’s ranking in search results when searching for Bin Laden.
Facebook Pages have become a psychological indicator of authority for a website or brand. If there are 100,000 likes on a Facebook Page for a luxury car reseller, it must be legitimate, right? Unfortunately this thought process has deceived many Facebook users. One example of this that Rachwald explains to me was an elaborate scheme that “social” hackers socially engineered to lure users who checked out the Facebook page into purchasing luxury cars on a sham Website for a fraction of its cost. Of course the money being sent was being pocketed and there were no luxury cars to be sold in the first place.
You’d be surprised at how easily you can attain a password hacking program from the Web. Rachwald tells me about one that he’s seen making rounds, and it’s apparently supported by tutorials on YouTube. We wouldn’t recommend that you to look around for these tools since in many instances these programs are laced with Trojans themselves. But with the right program, which use a brute force method to figure out your password, the effects can be devastating to any victim. Especially now, with features like Photo Sync, which automatically syncs every photo that you take from your smartphone, a hacker could get a hold of intimate or personal images that you wouldn’t want see publicly online.
It’s up to you to protect yourself
In the majority of cases, Rachwald tells me, it’s the consumers, or third-party sites that have access to your Facebook data, that are being breached from hackers or being tricked into revealing personal information. Rachwald brings to my attention that in 2009, third-party Facebook game developer RockYou was hacked by an SQL injection method, which Imperva first recognized, and over 30 million names and social media passwords was exposed.
But on some occasions, Facebook will leave itself open to vulnerabilities. For example an anonymous tipster from a hacker forum recognized that when you delete Facebook Messenger’s desktop app, it stays in your registry. The danger here was that Facebook User ID was left exposed, which could easily be copied with a Trojan virus. I checked that vulnerability recently and recognized that it appeared to have been silently patched by Facebook, although the file in my registry remains.
At the end of the day, you’re left on your own to protect your personal information. Rachwald himself isn’t on Facebook for the reasons discussed above. Despite the precautions you might take, Facebook’s obvious reluctance to address its security vulnerabilities means hackers are always coming up with new and innovative measures to manipulate users. Facebook is the largest social network with more than one billion users, making it a hacker’s playground and paradise – and nothing is going to change that.