27 August 2016

10 WAYS TO HACK FACEBOOK ACCOUNT | PREVENTION AND SAFETY MEASURES

August 14, 2016 

How hackers could hack into someone’s Facebook account?

This is one of the most searched and hot topics around the Internet. I have prepared a detailed list of how hackers could hack our Facebook account and how could we prevent the same. As a Facebook security researcher, i get these question frequently from many people 
Is there any Facebook cracker tool? 
Where can i get Facebook hacking software? 
Is there any free Facebook password finder? 

To the best of my knowledge there is no such tool, you won’t find it any where and yeah if you google it, you would find many websites claim that they are providing free hack tool but you cannot download it without completing a surevey. Even after completing survey you won’t get anything in the end. These things are posted only in the intension of making money. Don’t waste your precious time in searching such hack tool. If you want to know how hackers could hack Facebook accounts, please go ahead and read the techniques listed below.

Some of the techniques listed below are not only applicable to Facebook but to all daily used internet websites like Google, Twitter, Yahoo etc.

You won’t be vulnerable to hacking if you understand how hacking works

First of all, let me tell you one thing. This article is purely for educating people about how hacking works and how should they prevent it. Please don’t use these techniques for any malicious purposes.

1 Phishing 

Phishing is the most common technique used for hacking Facebook passwords. It is easy for anyone who is having little technical knowledge to get a phishing page done and that is why phishing is so popular. Many people become a victim of Phishing page due to its trustworthy layout and appearance.
How phishing works?

In simple words, phishing is a process of creating a duplicate copy of a reputed website’s page in the intention of stealing user’s password or other sensitive information like credit card details. In our topic, Creating a page which perfectly looks like Facebook login page but in a different URL like fakebook.com or faecbook.com or any URL which pretends to be legit. When a user lands on such page, he/she might think that is real Facebook login page and asking them to provide their username and password. So the people who don’t find phishing page suspicious might enter their username, password and the password information would be sent to the hacker/attacker who created the phishing page, simultaneously the victim would get redirected to original Facebook page.

Example : John is a programmer, he creates a Facebook login page with some scripts to enable him to get the username and password information and put it in https://www.facebouk.com/make-money-online-tricks. Peter is a friend of John. John sends a message to Peter “Hey Peter, I found a way to make money online easily you should definitely take a look at this https://www.facebouk.com/make-money-online-tricks”. Peter navigate to the link and see a Facebook login page. As usual Peter enters his username and password of Facebook. Now the username and password of Peter was sent to John and Peter get redirected to a money making tips page https://www.facebouk.com/make-money-online-tricks-tips.html. That’s all Peter’s Facebook account is hacked. Learn more about phishing, prevention measures and how to create a phishing page easily in minutes.
How could you protect yourself from Facebook phishing?

Hackers can reach you in many ways like email, personal messages, Facebook messages, Website ads etc. Clicking any links from these messages would lead you to a Facebook login page. Whenever you find a Facebook login page, you should note only one thing which isURL because nobody can use Facebook URL except when there are some XSS zero day vulnerabilities but that’s very rare scenario.

What is the URL you see in browser address bar? Is that really https://www.facebook.com? Is there any Green colour secure symbol (HTTPS) provided in the address bar? Keeping these questions in your mind would prevent you from getting hacked of phishing. Also see the below examples of phishing pages.

Some perfectly looking phishing pages are listed below.

Facebook Phishing Page – Note the misleading URL

Most of the people won’t suspect this page (snapshot given above) since there is https prefix with green colour secure icon and no mistake in www.facebook.com. But this is a phishing page how? Note the URL correctly. It is https://www.facebook.com.infoknown.com so www.facebook.com is a subdomain of infoknown.com. Google Chrome don’t differentiate the sub-domain and domain unlike Firefox do. SSL Certificates (HTTPS) can be obtained from many vendors, few vendors give SSL Certificate for Free for 1 year. Its not a big deal for a novice to create a perfect phishing page like this. So be aware of it.

Facebook Phishing Page – Note the misleading URL.

This is a normal Facebook Phishing page with some modification in the word Facebook.
2 Social Engineering

This is the second most common technique of hacking Facebook accounts. Actually this method shouldn’t come under Hacking since there are no technical knowledge required for this method. I am listing this method under hacking to ensure the list of most common techniques used for Facebook account hacking in their respective order. Social engineering is basically a process of gathering information about someone whose account you need to hack. Information like date of birth, their mobile number, their boyfriend / girlfriend’s mobile number, nickname, mother’s name, native place etc.
How Social Engineering works?
Security Question

Facebook-Social-Engineering-Security-Question

Many websites have a common password reset option called Security Question. Most common security questions would be “What is your nickname?” , “What is your 10th grade score?” , “What is your native place?” or any custom questions defined by user. Obtaining these informations from the respective people might let us hack into their account. Facebook also provides security question as password recovery option. So if anyone got to know the answer of it, they could hack your account using forgot password option.
Most Common and Weak Passwords

Security Question does not let you to get into others Facebook account easily. But setting a weak password would easily allow any of your friends to hack into your account. What is a weak password in this scenario? The password which can be easily guessed by a third person is called weak password. Below are some of the most common passwords people tend to use in Facebook. 
Mobile Number 
Nickname / Name and Date of Birth Conjunction 
Boy Friend’s / Girl Friend’s Mobile Number – Most of the lovers 
Boy Friend’s / Girl Friend’s Name – Most of the lovers 
Boy Friend and Girl Friend Name Combination 
Bike Number 
Unused / Old Mobile Number 
Pet Name 
Closest Person Name (can be friends too) 

Now be honest and comment here if you are one of the people who have any one of the common passwords stated above. Don’t forget to change your password before making a comment 
How could you protect yourself from Social Engineering? 
Security Question

Don’t have a weak or familiar security question/answer. It should be known only to you. You can set your Facebook security question here. Facebook also have an option called “Login Alerts” under Facebook Security Settings, you should add your mobile or email there to get notified whenever your Facebook account is logged in to a new or unknown device.
Most Common and Weak Passwords

Very simple. Change your Facebook password now if you have any one of the weak passwords stated above.
3 Plain Password Grabbing


This is another common method used to steal Facebook user’s password. Most people are unaware of these method but traditional hackers use this method to get many users email and password.
How Plain Password Grabbing works? 

In this method, the hacker / attacker would target a particular low quality website where the victim is a member and hack their database to get the stored plain username & password of victim. Here how could the attacker get access to Facebook? Many of us use the same password for Facebook and some poorxyz.com so its easy for a hacker to get your password through the low quality poorxyz.com

In another scenario, the hacker / attacker would create a website in the intension of getting users password. Whenever a user signup or register his account using email and create a password and those details would be stored in their db. So they get your email and password. Common people who uses same email and password for these kind of low quality websites would end up getting their Facebook account hacked.
How could you protect yourself from Facebook Plain Password Grabbing? 

You should never trust third party low quality websites, even popular websites like Linkedin passwords are getting hacked. So never ever trust third party low quality websites. Most of the website developers are storing plain passwords in database without even thinking about encryption or security. This makes hackers job easy since the password is stored as plain text. Best way to prevent this method is to have a unique password at least for websites you really trust. Don’t use your Facebook password for any other website/portal and that’s when your password would never get exposed.
4 Key Logger


Key logger is a software tool used to record keystrokes of a computer. This in turn records everything you type using your keyboard and store it for use.
How Key Logging works?

Most keyloggers run in background and won’t be viewable to users until you know the keylogger password and shortcut used to view it. It would record all the keys pressed and give you a detailed report of when and what keys are used for what application. Anyone who is reading the keylogger logs would know the Facebook password or any passwords typed and sensitive information like credit cards, bank username password etc. Whenever you login to a public computer, there are chances for you to get your password hacked. In another scenario, your friend/colleague/neighbour could ask you to login using their computer as a help. If their intension is to get your password then you are most likely to get your Facebook account hacked.

Refog is a popular keylogger which works wonderfully for Windows and Mac users. You can get a ordinary version of Refog keylogger for $42 USD which helps you track all your computer activities and key logs using a background running program. Personal Monitor version helps you track computer activities via Email, its really helpful for those who need to monitor their personal computer any time and you can get it for $82 USD. Follow the below links to get a Key Logger software. 
Refog Personal Monitor KeyLogger – Windows (comes with email logging) 
Refog Personal Monitor KeyLogger – Mac (comes with email logging) 
How could you protect yourself from Key Logging?

You need not be afraid of key loggers when you use your personal computer since you are the only one who is going to access it. But whenever you use any public computer or any of your friend’s computer, you should not trust it. I always suggest my friends to use On Screen Keyboard whenever they are in need to type a password, also please make sure nobody is checking your screen while you type your password since your screen would expose what you typed. In windows, there is a inbuilt tool called On Screen Keyboard which helps us to select keys using mouse. You can open OSK by using Run dialog box. WinKey + R opens Run dialog box, type osk and then press enter. Now a days many banking portals provide a screen keyboard in browser itself. So please make use of it whenever you are surfing in public computers.
5 Browser Extension Facebook Hack

This method don’t let the hacker / attacker give complete access to your Facebook account but gives some power to control your account indirectly. I’ve see multiple Google Chrome and Firefox addons which hiddenly perform actions like following a person, liking a page on behalf of your Facebook profile.
How Browser extension Facebook hack works?

When you visit some malicious websites or webpages, you will be prompted to install a browser addon. Once you install the addon, it would perform all the tasks described by hacker or attacker who created it. Most actions are posting status updates in your wall, liking a Facebook page, following a person, adding you to some Facebook groups, inviting your friends to like a page or join a Facebook group etc. You may not know these things happening in your Facebook account except when you check your Facebook activity logperiodically.
How could you prevent browser extension Facebook hack?

You can monitor your activities using a Facebook feature called Activity Log. You should not trust any third party websites prompting you to add a browser extension. Install addons only if you trust the publisher. Why should you take risk if you don’t know the publisher or intension of the addon? Stay from those malicious browser extensions.
6 Malicious Facebook Application Hack

All the apps you use in Facebook are owned by third party and not by Facebook. Ofcourse there are few exceptions like Instagram. A malicious application which is requesting your permission could do almost all kind of stuffs in your Facebook profile.
How malicious Facebook application hack works?

Whenever you find Login using Facebook option in any website, you should come to know that it is a third party Facebook application not owned by Facebook. When you click Login using Facebook, you will be shown a permission dialog box with the requested permission details. Once you click okay button, the requested details can be accessed from Facebook or the requested actions can be performed in your Facebook account.
What could a third party application do in your Facebook account? 
Post photos and status update 
Share link to your timeline or to any group you belong 
Manage your page 
Post on behalf of you on the Facebook pages you own 
Access your personal information 
Access your photos including “Only me” privacy photos, some times they can access your mobile photos using a Facebook vulnerability like the one i found

These are just examples of what could be done. What if the application you are using is malicious? It could spam your Facebook account with bunch of worthless content.
How could you prevent yourself from malicious Facebook application hack?

You should always be aware of what permissions you give to a Facebook application even though Facebook is reviewing application’s permission requests. Don’t give permission to an application if you don’t trust the website or application.

Facebook Application Permission Dialog Box

You can edit the information you give to an application in the permission dialog box (snapshot given above). Also you can review the applications that have access to your Facebook account here.
7 Browser Vulnerabilities 



Browser Vulnerabilities are security bugs which exists in older versions of mobile and desktop browsers.
How browser vulnerabilities works in Facebook hacking?

Most browser vulnerabilities are exploited through an older version of browser since all of the zero days are patched by browser vendor once it is reported by researchers around the world. For example, Browser Same Origin Policy Vulnerability could allow a attacker to read response of any Page like Facebook and could be able to perform any action in your Facebook account since they are able to read the response by accessing the Facebook origin.Android Chrome SOP bypass by Rafay Baloch is one such vulnerability which is affecting Android webview in Android < 4.4.
How could you prevent yourself from browser vulnerabilities?

You should always update your browser and operating system once there is an updated version available. Keeping an older version always have many risk factors involved.
8 Self XSS Scam 

Self XSS also known as Self Cross Site Scripting. XSS is basically a web security vulnerability, it enables hackers to inject scripts to web pages used by other users. What is self XSS then? Self XSS is a kind of social engineering attack where a victim accidentally executes a script, thus exploiting to the hacker.
How Facebook self XSS scam works?

In this method, hacker promises to help you hack somebody else’s Facebook account. Instead of giving you access to someone else’s account, the hacker tricks you into running malicious Javascript in your browser console that gives hacker the ability to manipulate your account. Most hackers use this technique to add you in groups, add your friends to group, post in your wall, add your friends in comments etc.
How could you prevent yourself from self XSS?

Self XSS is something that you let hackers to hack your account  Never and ever copy & paste code given by someone in your browser. Otherwise you would get your Facebook account hacked.
9 Trojan Horses 

Trojan or Trojan Horse is a malicious program which is used to spy and control a computer by misleading users of its true intent. Trojan can also be stated as Remote Key Logger since it records key strokes of all the applications of our computer and send it to the attacker.
How Trojan Horse Facebook hacking works?

A software you think legit might be a trojan. A PDF you don’t suspect might contain a trojan. A avi media file you have might be a trojan. Trojan horses runs in the backgroud process, collect information and send it to hacker. Trojan horses can be sent in any form through any medium like pen drive, ipod, website or email. In our topic Trojan records Facebook password you typed in your browser and send it to the hacker using Internet.
How could you prevent yourself from Trojan? 
Don’t install programs from unknown source. 
Don’t play media files received from unknown source. 
Don’t open any kind of files downloaded from untrusted sources. 
Don’t insert pen drive from any suspicious people. 
Have an updated anti-virus software installed in your computer. 

Having an updated anti-virus software does not guarantee you to not getting hacked. Basically an anti-virus software is a collection of detected malwares and viruses. Its job is to compare each and every file with their database of viruses. There are many softwares which enable us to create a undetectable trojans. But it is very unlikely to target a common man with undetectable trojanware. So having a updated antivirus program some what helps us.
10 Facebook Zero Day

Zero day is a security vulnerability that are unknown to the respective software vendor. In our context, Undiscovered Facebook vulnerabilities are called Facebook Zero Day.
How Facebook Zero Day hacking works?

Facebook zero day vulnerabilities are very rare since Facebook runs a bug bounty program where security researchers around the world participate and report zero day vulnerabilities. It is basically a security loop hole that is unaware to Facebook. It can be any hack affecting Facebook. There are two types of people who find zero day vulnerabilities. First case is Security Researchers and Bug hunters who make a responsible disclosure about the vulnerability to the software vendor, Facebook in our context. Another case falls under evil side, black hat hackers who find zero day vulnerabilities don’t disclose it to Facebook and they will use it for their personal benefit of hacking. Few of high severity vulnerabilities discovered in Facebook bug bounty program are listed below. 
How could you prevent yourself from Zero Day?

You need not be afraid of a zero day vulnerability affecting Facebook. As i have said earlier, zero day vulnerabilities are very rare. Zero day vulnerabilities are targeted to influential people and celebrities. It is unlikely to target a common man using a zero day vulnerability.


No comments: