Social Networking Hack Hides Attack
There's no question that social networks have become a serious source of security and privacy concerns for both individuals and organizations alike as cyber attackers use the popular online portals for everything from malware distribution to information gathering about their potential targets.
However, apparently so many people are trying to break into other users' social networking accounts that helping them do so, or at least offering to, has become enough of a business opportunity that scammers are already trying to tap into that demand to help find new victims for their own ploys.
Security researchers at PandaLabs recently unearthed an online hack-for-hire scheme that attempts to take advantage of people's desire to hack into others' Facebook pages, calling attention to a URL which promises to break into any user's account for only $100.
But much like anything else on the Web that appears too good to be true, at least if you're an aspiring lowlife, of course the site was only set up to dupe wannabe Facebook spies and hackers into giving up their own money and information.
As described by PandaLabs security guru Louis Corrons, all you have to do is register for the "Hack Facebook" page, then provide it with the details of the account that you'd like to infiltrate. For his purposes Corrons of course created a new dummy account just to see what was possible.
To make itself seem more legitimate, the site only asks you to provide your target's ID, then it promises to automatically find their username for you, or pretend to, in an effort to show that it indeed has its hooks into the popular networking property.
After merely entering the ID, the hacking service appears to begin doing its job and after a only few minutes offers the opportunity to gain the hacked account user's passwords and then save them to your computer with the click of a button... if you're first willing to pay of course.
Upon clicking on the save button you're asked to send your hard-earned $100 to the Ukraine using Western Union, along with filling some specific personal details about yourself. Anyone who closely follows IT security would obviously have all sorts of bells and whistles going off at this point, but then again, anyone attempting to hire a third party to break into someone else's Facebook page likely isn't the portrait of online restraint.
Of course, once you pay the site and send along your own personal data, Corrons reported that you don't get the promised Facebook passwords, and, as few people are likely willing to complain to anyone of authority that they've been ripped off trying to break into someone else's Facebook account, there's little question that the attackers, who actually appear to be based in Moscow, get off totally free.
So, the good news would appear to be that, despite appearances, one cannot yet utilize a fast, user-friendly online service to hack into anyone else's Facebook page for $100, at least not using the service discovered by Panda. A silver lining is that people trying to pull off such scams are likely being victimized in their own right.
The bad news? The social media matrix continues to get more muddled with attacks and identity theft schemes, leaving everyone's personal data at risk as attackers try to find any and every way that they can to make a buck off of these widely adopted applications. The virtual world is seemingly every bit as laden with potential pitfalls and trapdoors as the real world.
Happy clicking out there.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch. Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.