Of the many Facebook hacks, and there are many, there is one that stands out in its ability to fool people and, thus, deserves to be discussed in some detail. This hack is more sinister than most because it only needs a mobile phone number to begin its nefarious actions. True, this attack vector has been around for a while, but some recent variations on it are worth noting. I should point out at the beginning that it’s not only Facebook that is vulnerable to this attack strategy. The truth is that any social networking or email service that relies on two-factor-authentication (2FA) via SMS/text message can be compromised, but, for the purposes of this post, I’ll focus mainly on Facebook.
The attack will often begin with one of your Facebook friends sending you a message asking for your mobile number. They could ask you through a normal Facebook message, through Facebook Messenger, or through an email. They may give an excuse about losing their phone or contacts in some way. Most of us have either gotten or sent such a message and, since the message is actually from someone you know, it may not raise any suspicions. Most people would probably send their number. What could possibly go wrong?
In the worst case scenario, that will be the last you learn of the attack until you find that you cannot get into your Facebook account. Someone has taken it over. This would be the result of what is called an SS7 hack in which the attacker intercepts communication from Facebook to the account owner by penetrating the SS7 network. It is sort of like a man-in-the-middle attack and it requires a certain degree of hacking skill. For this reason, unless you are a high profile target, have a lot of money, or have a lot of contacts/friends, this attack vector will probably not be the one that brings down your Facebook site.
The normal mobile-number-based attack will use your phone number a bit differently. The attacker who posed as your friend will sign into your Facebook site and pretend they forgot their password. Facebook will ask for their mobile number so that they can send them an SMS recovery code. That’s where your mobile number comes into play. Facebook will send a code to your phone for you to use in recovering your Facebook account. At this point, the attacker has a couple of options. They could send you a message that may look like a real Facebook message saying that suspicious or unusual activity has been detected on your account and they will block it until you provide certain information. There are a number of variations on the message you receive but one may look something like this.
First of all, notice that the message has the look of an actual Facebook message. You will also see that your number is included, which will make you lower your guard even more. Of course, they are just using the number that you already gave them. You will then check your SMS messages for a code and you will find the one that Facebook actually sent you. Entering the code and clicking ‘Next’ will send the true code to the attackers who are waiting to use it to take over your account. To thwart the attack, hover your cursor over the ‘Next’ button to see the link it leads to in the lower left corner of your screen. Remember, however, that if you did not request a code, this is probably a scam message.
Sometimes the attack may begin with an SMS message to your phone which will appear to be signed by Facebook Security or some such logical name. But anyone can make a fake signature for their phone that will appear as the sender. They may then tell you they are sending you the code in a second message which you should return to the address on the original SMS message. The code will actually come from Facebook. The address you return it to, however, is not connected to Facebook. It is the address of the hackers. In another variation, you may be asked to follow a link to a fake page where you are told to enter the code. That page may look like this.
In both cases, the attacker will then use the code you give them to take over your account and change the password so that you cannot log into it.
But what happens if you get such a message and you never gave your phone number to anyone and you don’t publicly list it on Facebook? That is, you have your number protected with your Facebook security set as ‘Only Me’. How could anyone get this number? Only Facebook knows it. The message may even have your Facebook photo/page on it and ask you if this is your account. How is this possible?
This could happen because of a glitch (?) in the Facebook architecture. If you type in a friend’s mobile number in the ‘Find Friends’ field, you will find their Facebook page whether they make their number private or not. The sad news is that it’s not difficult to get mobile numbers from the internet and use them to get to a Facebook page. People selling products or services on Facebook will usually give a contact number for their business. I have used this number to find their personal Facebook page and, if I wanted to, I could begin the mobile phone attack with a message that includes their Facebook photo. So, just because the message looks like it’s from Facebook, has your mobile number on it and even your photo doesn’t mean it is real.
The logical question is: Why would someone want to take over another person’s Facebook page? Well, most Facebook hacks are not performed by hackers but by suspicious spouses and partners. Others are performed by angry exes who may be involved in some sort of stalking activity. They just want to find out what their partners/ex-partners have been up to. In most of these cases, they already know your mobile number but want access to your Facebook relationships. In the worst case scenario, they want revenge, and, once taking over your account, they will post awkward photos of you that they may already have or, they may put pornography or racist comments on your timeline for all of your friends to see.
Other attackers want access to your friends and will use friends and friends of friends to build a nice spamming botnet. They can also sell any information they dredge up to marketers or other hackers. Actually, monetizing these hacks seems to be the wave of the future. With one-sixth of the world’s population on Facebook, it is simply too tempting a target to resist.
The most common way to get money is for the attacker to contact your friends and, posing as you, ask them directly to send you money. You need the money because you’ve had some accident or your money was taken from you while you were on vacation and you need some emergency cash to get back home. Another ploy is to ask your friends to donate to a favorite charity of yours (the hacker’s account). Recently, they have been using pictures of sick children to ask for money. Occasionally, the hacker, posing as you, will ask for payment in gift cards or other non-monetary means.
Of course, the criminal’s dream is to get hold of your payment information. Those who buy on Facebook will have this information stored in their ‘Payment’ folder. Criminals in control of your account may purchase gift cards or merchandise using this information.
Keep in mind that this hack applies to any site that uses SMS verification of an account. You can have your email hacked in a similar way. You must be suspicious of any message saying you need to send a verification code that you didn’t request. Never click on any links in such emails or, if you do, never fill out any forms these links may lead to. Do not download photos/videos sent by a Facebook or Facebook Messenger contact that then asks you do download a codec to view it. Ransomware has been appearing on Facebook since late last year and, although Facebook has been fighting it, don’t expect it to disappear all at once. In fact, I don’t believe we have seen the ultimate Facebook hack yet, but be assured someone is planning it even while you’re reading this. In January, I predicted that this would be the year of a major Facebook hack and I’ll stand by that prediction.