Five Disturbingly Simple Ways to Steal Facebook Logins

Facebook accounts are precious things. They contain a surfeit of valuable data that cyber criminals can use to steal money from members’ bank accounts. Now the company has bought Instagram, there will be even more valuable information stored in Facebook lockers.

There are plenty of ways hackers can get hold of Facebook login details too. Using old techniques in new guises, cyber criminals are infiltrating accounts, deciding to use the information for themselves or sell their password cracking skills to others.

On one hacker forum, security firm Imperva found the cost of a hacked account to be just $6. That hacker promised to hand over details in just a couple of days. They know how to market themselves too, it seems.

What’s most disturbing is how anyone with a really basic skill-set can acquire such details. Here’s five techniques below, but remember kids, hacking a Facebook account is illegal.

Going straight for Zuckerburg’s throat

The more skilfull hackers will go for Facebook’s jugular and try to get hold of admin rights. Whilst this offers a much more attractive loot than gaining entry into just a few accounts, the risk is significantly higher. In February, a British computer science student was jailed for eight months for smashing into Facebook’s infrastructure.

“It’s the holy grail of hacking,” Noa Bar-Yosef, Imperva’s senior security strategist, told TechWeekEurope. To get inside the infrastructure, hackers will look for vulnerabilities in Facebook itself, target a specific admin with spear phishing, or even bribe one of them. As the old adage goes, everyone has a price.

Brute force

One obvious way to get hold of a password is to use brute force. There are a load of GUI tools that can do this now, making it disturbingly simple for anyone to get involved in Facebook hacking. One of these tools is the Facebreak bruteforcer. Another is facebook Brute. Just look at how straightforward the interface is below.

YouTube is regularly filled with tutorials on how to use these GUIs, in case the tools aren’t idiot-proof enough already. “You really do not need to be too much of a hacker,” Bar-Yosef said. “When you’re talking about Facebook hacking, one of the reasons why it has become so popular is that it’s so easy to carry out, because you have all that GUI.” Some of these tools cost nothing, so not only do you not have to be the next Kevin Mitnick, you won’t have to spend a penny.

Phishing

Phishers are getting awfully talented. Just see below for how much a phishing page looks like the real Facebook login page. Hackers build these fraudulent pages either using basic HTML skills, or by grabbing images from the official sites. Only a handful of vendors provide notification for picking up on excessive scraping of images, so it’s an easy technique for cyber criminals to leverage. Some kits come packaged with a Facebook page too, making it even easier to carry out a phishing attack.

If phishers could get some better URLs that more closely resemble Facebook.com, they would get much better traction from victims. Surely only those with zero security awareness would go to fbaction.net, right? “But if I get an email saying ‘please update your Facebook account because we’ve rolled out new privacy settings’, I’m not even going to look at the URL,” Bar-Yosef said.

Eavesdropping

Facebook only recently opened up the option to use SSL for communications on the service. It’s not yet default like on Twitter. For those who don’t switch it on, they risk being the victim of man-in-the-middle attacks on open Wi-Fi networks. There are plenty of tools for doing this too, similar to the Firesheep software that sought to hijack Twitter sessions in 2010.

Keyloggers

Getting a bit of keylogging malware onto someone’s machine will get hackers the info they want. Hackers use typical methods to get malicious software on people’s machines, including drive-by downloads and social engineering scams, so logins get sent back to command and control (C&C) centres. See below for another GUI tool for managing what’s known as the KGB Keylogger.

There are plenty of other ways to take control of others’ Facebook accounts. There’s data slurping, rogue applications, which can grab different types of data if users are duped into downloading them. Needless to say,

In the above cases, bar brute force attacks, it doesn’t matter how strong a user’s password is. Facebook can’t do much about them either, apart from make HTTPS default rather than just opt-in. So what’s the answer for users? As far as you can, don’t put anything really valuable on Facebook. The more places you store important data online, the greater the attack vector for cyber criminals.

Think you know security? Test yourself with our quiz.

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • The Facebook brute force applications are a scam. Facebook only allows limted login attempts before disabling account access.

    • too bad that youre wrong on that point, smart applications uses proxies and change IP once you get a maximum of attempts

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

7 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

7 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

8 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

8 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

9 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

9 hours ago