The Hacked Man (Part 1) - Facebook : Rummaging a digital rubbish bin

10/1/2012 9:41:38 PM

Cyber criminals are attacking digital identities and stealing personal data ~ eventually impersonating their victims with the use of simple tools and psychological tricks.

Patches help counteract bugs in software. But there is one security loophole that is difficult to repair: the Individual. Instead of directly accessing the system through the operating system or browser, cyber criminals find it way easier to hack into a system if they know how to manipulate the user. Their spoils are digital identities which command a huge price in the Internet black market. Their methods? Social hacking. This is the rising form of social engineering currently threatening users of Facebook and other social networking sites. Only the users who understand the psychological tricks operating behind these ploys can protect themselves from these social hackers.

Description: The Hacked Man

Facebook: Rummaging a digital rubbish bin

Social Engineering, the art of deception, has a tradition that goes back a long way (refer to column on next page). It was employed against companies for a long time. Employees of these companies were manipulated and deceived by attackers into revealing inside information. These attacks were driven mainly to acquire ostensibly innocuous data like organisation charts depicting the company hierarchy, for example. This data was acquired by coming up with remarkable methods - likened to looking for documents in trash cans. This was the so-called Dumpster Diving. The arrival of Google and Facebook made it suddenly very simple to gather such data -- even from one's living room. "The victim's relationships - and his preferences - can easily be found out from social networks, instead of rummaging in trash bins", says Stefan Schumacher of Magdeburg Institute for Security Research (MIS).

The attackers can find data related to millions of users in the so-called rubbish bins of Facebook. This data can mean a lot of money: mail addresses, telephone numbers, political views, connected web accounts, password hints, etc. Secure, me, a security service provider, undertook a study which showed that 71% of Facebook users share such private (and other) information on Facebook.

Description:  "Fake Facebook Hacking Software Scams".

"Fake Facebook Hacking Software Scams"

The worth of this data ranges between a few cents to several US dollars depending on the extent of the data record and the background of the user. Data of users from the wealthy western nations carries more worth than that of users who live in developing countries. The traders of this stolen data sell it in packet sizes of hundreds or even thousands of records - not just a single record - which makes it a very lucrative business for them. Hackers and hacking groups who offer their services at appropriate forums are the main dealers in this business. And their numbers are intimidating, given the unimaginable amount of methods to hack digital identities.

The ultimate aim of every attack is to gain direct access to the user's account. This does not only involve stealing the user's personal details but also those of his friends. There are apps and small programs on Facebook that enable the user to use applications like games, birthday calendar, etc. These are effectively the lever for such attacks. These apps seem to emit an almost magical appeal because they promise features that are fundamentally not offered on Facebook - like the "unlike" button.

Last years’ experience shows that the Facebook user clicks on such apps without giving it a second thought, particularly if a friend had recommended it. Not a single shred of suspicion crosses their mind that their account was hijacked. And a completely different trick shows that even those who are cautious still become victims of social hacking. If they refused to allow access to their data by "canceling" the app window, they were directed to a copy of the Facebook main page, instead of going back to their profile page. The user was forwarded to a phishing site thanks to a web address hidden behind the "cancel" button on the App window. You can recognise a fake phishing site through the URL. If this site is used to log into Facebook, one does return to the profile page (the genuine log-in takes place automatically); only now, the hacker knows the login details. The user does not realise what has just happened. If that was not scary enough, there's more. Performing the above is merely child's play. App toolkits like Time that are used by cyber criminals to simultaneously click on the applications, are available for a mere $25. The criminals use them by the dozen before these apps are blacklisted by Facebook.

Account hacking: Breaking in through the front door

The direct, if less elegant, way of breaking into a user account is by cracking the password. Fast processors and GPUs make these Brute Force Attacks possible. This is made easier when the user plays directly in the hands of the hackers by setting much too simple passwords. That's because the simple passwords can be easily cracked, particularly when they stem from common words ("password"), typical number combinations ("123456'’) or very short character strings ("qwerty"). Integrated dictionaries that first screen such simple passwords can be easily found on hacker forums. Likewise, the mail addresses or usernames required for login can be generically inspected through various sources.

Description: Account hacking: Breaking in through the front door

Account hacking: Breaking in through the front door

In addition to these Facebook-specific attacks, cyber criminals also require the use of classic methods. For this purpose, Keylogger - which records password inputs, or Trojan - which spies on data traffic, are very effective weapons. The Cookie-Klau also enjoys much popularity. Firesheep, the Firefox-Plug-ln, popularised this method of attack. In this case, the hacker could capture the un-encoded transfer of Session Cookies with login data of the user and assume his/her identity. But this is not possible anymore on desktop computers, because Facebook has, in the meantime, encrypted the login procedure. Mobile devices are most at risk, especially those operating on Android. The attackers can take over the user accounts with the help of apps like FaceNiff or DroidSheep if they have control over the user's network. Public platforms with WLAN are a major threat in this case.

There are so many enquiries about these weapons in hacking circles that it hes fuelled the swindlers into swindling the swindlers! Web services like claim to be able to crack Facebook accounts in mere seconds! One only has to provide the mail address of the victim and shortly thereafter a confirmation is received of the password being cracked. To see that password, a fee of only $200 has to be transferred by Western Union - which naturally disappears into nothing.

  •  Implementing Security in Windows 7 : Set the Junk E-mail Protection Level
  •  Implementing Security in Windows 7 : Delete Your Browsing History
  •  Web Security : Attacking AJAX - Checking for Cross-Domain Access, Reading Private Data via JSON Hijacking
  •  Web Security : Attacking AJAX - Subverting AJAX with Injected XML, Subverting AJAX with Injected JSON
  •  .NET Security : Programming the Event Log Service (part 3) - Using Custom Event Logs, Monitoring Event Logs
  •  .NET Security : Programming the Event Log Service (part 2) - Reading Event Logs, Writing Events
  •  .NET Security : Programming the Event Log Service (part 1) - Querying the Event Log System, Using Event Sources
  •  .NET Security : The Event Log Service Explained
  •  Web Security : Attacking AJAX - Intercepting and Modifying Server Responses, Subverting AJAX with Injected Data
  •  Web Security : Attacking AJAX - Intercepting and Modifying AJAX Requests
    Top 10
    Review : Sigma 24mm f/1.4 DG HSM Art
    Review : Canon EF11-24mm f/4L USM
    Review : Creative Sound Blaster Roar 2
    Review : Philips Fidelio M2L
    Review : Alienware 17 - Dell's Alienware laptops
    Review Smartwatch : Wellograph
    Review : Xiaomi Redmi 2
    Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
    Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8