Cyber criminals are attacking digital
identities and stealing personal data ~ eventually impersonating their victims
with the use of simple tools and psychological tricks.
Patches help counteract bugs in software.
But there is one security loophole that is difficult to repair: the Individual.
Instead of directly accessing the system through the operating system or
browser, cyber criminals find it way easier to hack into a system if they know
how to manipulate the user. Their spoils are digital identities which command a
huge price in the Internet black market. Their methods? Social hacking. This is
the rising form of social engineering currently threatening users of Facebook
and other social networking sites. Only the users who understand the
psychological tricks operating behind these ploys can protect themselves from
these social hackers.
Facebook: Rummaging a digital rubbish
bin
Social Engineering, the art of deception,
has a tradition that goes back a long way (refer to column on next page). It
was employed against companies for a long time. Employees of these companies
were manipulated and deceived by attackers into revealing inside information.
These attacks were driven mainly to acquire ostensibly innocuous data like
organisation charts depicting the company hierarchy, for example. This data was
acquired by coming up with remarkable methods - likened to looking for
documents in trash cans. This was the so-called Dumpster Diving. The arrival of
Google and Facebook made it suddenly very simple to gather such data -- even
from one's living room. "The victim's relationships - and his preferences
- can easily be found out from social networks, instead of rummaging in trash
bins", says Stefan Schumacher of Magdeburg Institute for Security Research
(MIS).
The attackers can find data related to
millions of users in the so-called rubbish bins of Facebook. This data can mean
a lot of money: mail addresses, telephone numbers, political views, connected
web accounts, password hints, etc. Secure, me, a security service provider,
undertook a study which showed that 71% of Facebook users share such private
(and other) information on Facebook.
"Fake
Facebook Hacking Software Scams"
The worth of this data ranges between a few
cents to several US dollars depending on the extent of the data record and the
background of the user. Data of users from the wealthy western nations carries
more worth than that of users who live in developing countries. The traders of
this stolen data sell it in packet sizes of hundreds or even thousands of
records - not just a single record - which makes it a very lucrative business
for them. Hackers and hacking groups who offer their services at appropriate
forums are the main dealers in this business. And their numbers are
intimidating, given the unimaginable amount of methods to hack digital
identities.
The ultimate aim of every attack is to gain
direct access to the user's account. This does not only involve stealing the
user's personal details but also those of his friends. There are apps and small
programs on Facebook that enable the user to use applications like games,
birthday calendar, etc. These are effectively the lever for such attacks. These
apps seem to emit an almost magical appeal because they promise features that
are fundamentally not offered on Facebook - like the "unlike" button.
Last years’ experience shows that the
Facebook user clicks on such apps without giving it a second thought,
particularly if a friend had recommended it. Not a single shred of suspicion
crosses their mind that their account was hijacked. And a completely different
trick shows that even those who are cautious still become victims of social
hacking. If they refused to allow access to their data by "canceling"
the app window, they were directed to a copy of the Facebook main page, instead
of going back to their profile page. The user was forwarded to a phishing site
thanks to a web address hidden behind the "cancel" button on the App
window. You can recognise a fake phishing site through the URL. If this site is
used to log into Facebook, one does return to the profile page (the genuine
log-in takes place automatically); only now, the hacker knows the login
details. The user does not realise what has just happened. If that was not scary
enough, there's more. Performing the above is merely child's play. App toolkits
like Time that are used by cyber criminals to simultaneously click on the
applications, are available for a mere $25. The criminals use them by the dozen
before these apps are blacklisted by Facebook.
Account hacking: Breaking in through the
front door
The direct, if less elegant, way of
breaking into a user account is by cracking the password. Fast processors and
GPUs make these Brute Force Attacks possible. This is made easier when the user
plays directly in the hands of the hackers by setting much too simple
passwords. That's because the simple passwords can be easily cracked,
particularly when they stem from common words ("password"), typical
number combinations ("123456'’) or very short character strings
("qwerty"). Integrated dictionaries that first screen such simple
passwords can be easily found on hacker forums. Likewise, the mail addresses or
usernames required for login can be generically inspected through various sources.
Account
hacking: Breaking in through the front door
In addition to these Facebook-specific
attacks, cyber criminals also require the use of classic methods. For this
purpose, Keylogger - which records password inputs, or Trojan - which spies on
data traffic, are very effective weapons. The Cookie-Klau also enjoys much
popularity. Firesheep, the Firefox-Plug-ln, popularised this method of attack.
In this case, the hacker could capture the un-encoded transfer of Session
Cookies with login data of the user and assume his/her identity. But this is
not possible anymore on desktop computers, because Facebook has, in the
meantime, encrypted the login procedure. Mobile devices are most at risk,
especially those operating on Android. The attackers can take over the user
accounts with the help of apps like FaceNiff or DroidSheep if they have control
over the user's network. Public platforms with WLAN are a major threat in this
case.
There are so many enquiries about these
weapons in hacking circles that it hes fuelled the swindlers into swindling the
swindlers! Web services like www.wellmuq.com claim to be able to crack Facebook
accounts in mere seconds! One only has to provide the mail address of the
victim and shortly thereafter a confirmation is received of the password being
cracked. To see that password, a fee of only $200 has to be transferred by
Western Union - which naturally disappears into nothing.
