Attacking the Attackers: Facebook Hacker Tools Exploit Their Users

Would-be hackers that sought out tools to hack Facebook were in fact exploited themselves, new research from Blue Coat Elastica Cloud Threat Labs shows.

Facebook Hacker tools

For those who are looking to hack the Facebook accounts of others, there is a marketplace of Facebook Hacker tools that offer the promise of point-and-click ease. According to a new report from Blue Coat Elastica Cloud Threat Labs (BCECTL), the promise made by many Facebook Hacker tools is false.

Rather than providing access to the Facebook accounts of others, BCECTL found that most Facebook Hacker tools only exploit the users of the tools.

"The samples we have analyzed don't perform any real Facebook hacking as opposed to what is being claimed," Aditya Sood, director of Security and Elastica Cloud Threat Labs at Blue Coat Elastica, now part of Symantec, told eWEEK.

BCECTL looked at multiple tools with various names, including Faceoff Facebook Hacker, Skull Facebook Hacker and Scorpion Facebook Hacker. The various tools can require the user to input their own Facebook credentials in order to gain some form of access.

Sood explained that the way the tools typically work is they will ask the user of the tool to provide the Facebook profile ID to be hacked. After that, it displays some fake system-critical failure messages. Following the failure message, the tool will ask the user to provide an activation code to hack into the profile.

"When a user clicks the button to obtain an activation code, the browser is redirected back to some unauthorized domain such as that could lead to advertising which might be malicious in nature," Sood said.

The various Facebook Hacker tools are shared and promoted in various ways, including via an email phishing campaign. The attack is targeted against individuals that are interested in getting the private information of other users' Facebook accounts, according to Sood.

"However, we discovered this attack by analyzing the files hosted on Google Drive as a part of in-house activities to gather more intelligence and feeding that back into the [Blue Coat] product," Sood said.

Links to various Facebook Hacker tools were being actively distributed and shared on Google Drive. BCECTL reported the malicious Google Drive URLs to Google's Safe Browsing report phish link:

"It's hard to list the numbers, but we have discovered multiple instances [seven-plus] on Google Drive at the moment," Sood said. "We haven't checked on other cloud services or standard domains."
The Elastica CloudSOC platform can detect anomalies in the compromised cloud service accounts that are used to host these kinds of tools for abusing the cloud service for unauthorized activities, Sood adding that Symantec/BlueCoat has the ability to dissect the network traffic to look into threats and associated anomalies. Additionally, the Symantec/BlueCoat global threat intelligence network provides regular updates about the state of URLs, he said.

The Facebook Hacker tools are distributed at minimal cost ($20 for two to three months) or free of charge, Sood said. He emphasized that the Facebook Hacker tools are not doing explicit Facebook hacking. Rather, they are stealing end-users' Facebook account credentials, which can be further used to conduct additional sets of attacks, such as drive-by downloading through malicious link sharing in target accounts, stealing private information, phishing and spamming through Facebook messages.

Although the report looked at Facebook Hacker tools, there are also similar tools available for Twitter that work the same way.

"We have seen instances of several domains which claim to hack Twitter but end up in the same behavior," Sood said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.