April 11, 2012

Fb4

In the first of this two-part series, we showed how Facebook profile data is very attractive to different of hackers. But how do hackers gain this information?

The main method to gain access to the Facebook account of a specific user is getting the password. This can be done in myriad ways:

  • Malware. These are different keystroke loggers which record the user’s activity, including passwords to different applications. The malware is typically installed by employing different social engineering techniques which implore the user to download a particular “cool” but, in reality, malicious) app. Malware may also be installed using drive-by-download techniques where the browser is instructed to download malware in an attacker’s controlled server. Obviously, there are also physical ways such as accessing the victim’s machine when the user’s device is left unlocked and unattended.  Click to BIGGIFY:

Fb5

  • Phishing. This method attempts to deceive the user to divulge their credentials by mocking the Facebook login page. In a past entry of ours, we provided an example of such a phishing kit which creates fake Facebook - as well as about a dozen more - sites. This particular kit became quite popular, whereas the hacker boasted more than 200K downloads. Click to BIGGIFY: 

Fb6

  • Bruteforce. The attacker repeatedly attempts the guess the user’s password. This technique is particularly effective against users who tend to use easy and guessable passwords. This YouTube video presents the “Facebreak” bruteforcer. Click to BIGGIFY:

Fb7

Hacking methods by individuals is not only confined to password-grabbing. Other methods have shown to be successful in the past:

  • Hacking a Facebook’s admin rights. Although this requires more effort on the hacker side and so is not as prevalent, this type of an attack stands out. It is the “holy grail” of attacks as it provides the hacker also with all that “inaccessible” data. Not only of a single user – but of all users. Attackers can achieve these rights by hacking into Facebook’s systems, submitting court orders (see below), or even bribing a Facebook administrator. Recently, a hacker was sentenced after hacking into Facebook’s internal system and extracting parts of Facebook’s source code.
  • Building a data-slurping application. Last year a bug in Facebook allowed applications to access users’ private data. Further, Facebook allows the users to set what applications have access to what data. So, even if an application does not initially have permissive rights to access the user’s data, a hacker can entice the user to open up access to these applications.
  • Stealing a user’s Facebook cookie. Such a “cookie” contains sensitive information such as the user’s username and password. Consequently, a hacker who steals the cookie can impersonate the real user. In fact, the ultra-popular application, Firesheep, released last year demonstrated how easy it is to steal a user’s cookie. Firesheep’s simple GUI gave people - including those “clueless” in hacking – the ability to steal Facebook cookies from individuals connecting to public terminals, such as in Starbucks. 

The next two methods can also be carried out by lone hackers, private investigators, and simple cyber-voyeurs. While government-sponsored hackers can use these same tactics on a great scale since they have greater advanced communication interception capabilities.

 

  • Eavesdropping. Although Facebook login information are sent in encrypted format- which prevents eavesdroppers from gaining the credentials, the rest of Facebook’s online activities are not usually encrypted. This means that eavesdropping is as simple as “listening” to open WiFi networks. To respond to this issue, Facebook recently (Jan 26th 2012) Facebook added the option to opt in for SSL for other activities too, see http://www.facebook.com/blog/blog.php?post=486790652130.

  Fb8

We recommend FB users to enable that option, as leaving traffic unencrypted may allow the hackers to listen into the rest of the communication.

Here’s how a hacker could track this information.  First, an innocent message is written in Facebook:

 Fb9
 Then, using a sniffing tool, someone can capture the message:

Fb10

  • Monitoring communications. We put this as a separate technique than eavesdropping since eavesdropping includes the connotation of doing something surreptitiously without ever wanting to be caught. But what about public communications?  Facebook is huge and can provide a lot of information if someone can discern noise from something interesting.  Note how recently the FBI issued an RFI to monitor social media. Further if the info is public then anyone can crawl it. For example, on 2010 an individual collected the public profiles of 100 million Facebook users and published it online in a single downloadable file. The consequence is that even if a user had changed their settings after the scraping of their profile – this was too late since people already had their profile details.

In addition to the above methods, government-sponsored hackers have that extra power which allow them to obtain users’ Facebook data – including the “inaccessible” portions:

  • Altering the Facebook communication. As mentioned, Facebook credentials are typically sent encrypted under the SSL protocol. However, Tunisia got around this obstacle by injecting Javascript code to the applications’ login page. That extra piece of code allowed all credentials to be re-routed to a Tunisian controlled site.  In another case, the Iranian government was able to spoof SSL and act as a man-in-the-middle tapping into users’ Facebook communications. In Tunisia, for example, targets found that Facebook groups they founded were deleted, as were pictures of protests.
  • Legal means. Of course, there are legal routes to obtain the data. Facebook lists the required guidelines for law enforcement to access records. For instance, in the US, the agency must have a subpoena or court order. And, there’s also Max Schrem’s way – simply ask for it under the European data protection law.  
Share:

Posted by Imperva Blogger at 12:00:00 AM


Tags:

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.