HOW FACEBOOK AND OTHER SOCIAL NETWORKING SITES ARE HACKED

-


Social networking service (also social networking site, SNS or social media) is an online platform that is used by people to build social networks or social relations with other people who share similar personal or career interests, activities, backgrounds or real-life connections.

Social Network Sites such as Twitter, Facebook, Google+ , Pinterest, Instagram have attracted millions of users, many have integrated these sites into their daily practices. There are many sites, with various technological features which support a wide range of interests and practices. Most of them can be linked to their pre-existing social networks which help strangers connect and interact based on shared interests or activities.

This interaction reveals a lot of information, often including personal information visible to anyone who wants to view it. Hence privacy is often a key concern by the users.
Since millions of people are willing to interact with others, it is also a new attack ground for malware authors. They can spread malicious code and send spam messages by taking advantage of the user’s inherent trust in their relationship network.
Here are some of the threats targeting different social networks today.

Social engineering:

Social engineering refers to the method of influencing and persuading people to reveal sensitive information in order to perform some malicious action. It is easier to fool someone than to find vulnerabilities to hack a system.

An attacker chats with someone and then try to elicit information. By using a fascinating picture while chatting, the attacker can try to lure the victim. Then, slowly the attacker can ask certain questions by which the target can elicit information. They ask different questions to get the target’s email and password. Attackers first create deep trust with the target and then make the final attack. Gaining Trust is one of the phases in social engineering.

Common attacks:
Email with a link or an attachment that has malicious code embedded. Clicking or Downloading it will run the code and infect the target system.
This is one serious problem people face online today. Do not trust anyone online. Avoid sharing personal information.

Identity theft:

It Is easy to access an account when the attacker has some personal information. For example, a common technique used is by clicking on “forgot password” and trying to recover the information through email or security questions. Once they have access to your email account, they then have access to all information on your social networking sites.

  • This can be prevented using 2FA (Two Factor Authentication).
  • Never share your personal information online.



Phishing bait :

Phishing is the attempt to obtain sensitive information such as usernames, passwords, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Phishing is an example of social engineering techniques used to deceive users.

Attacker could create a clone of a website that is infected with malware and tell you to enter personal information. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
  • Always make sure the URL’s are legitimate  before opening them.



Shortened links / URLs:    
Always be careful while opening a shortened URL.


URL shortening services such as bit.ly ,tinyurl, goo.gl are used to fit long URLs into tight spaces. They also do a nice job of obfuscating the link so it isn't immediately apparent to victims that they're clicking on a malicious link. These shortened links are easy to share.

Only click on links from trusted sources. This may not always protect you, but helps lower the risk.
Update browsers and operating systems regularly with the latest security updates.


Apps :

Try not to use apps like :
o   Facebook color changer
o   Celebrity Face Match
o   Who viewed your facebook profile
o   NSFW videos
o   Twitter instant followers
o   Pinterest bogus pins
o   Instagram free likes

These things asks you to post it on your profile or share it with your friends or watch a video tutorial. And some provide those functions. But what it actually does is allow attacker to obtain access to your profile and spam. Which can also infect mobile devices.

Change your passwords regularly. Delete unnecessary apps. Do not trust third party notifications. Be cautious about giving unverified apps or services access/permission to your account. Download apps from trusted source.

CSRF – cross site request forgery:

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

When you click on a link on a webpage, your browser sends a request to the Web server. These requests can broadly be categorized into two types: GET and POST.  A GET request is simply a request for a page, e.g. When you browse www.google.com. A POST request is sent when you send data to the server, e.g. if you search anything on Google, this would be sent as a POST request.
But what if it were possible to send a request from a user’s browser without the user's consent?
It’s possible.

It’s simple and it’s called Cross Site Request Forgery.

Malicious requests are sent from a site that a user visits to another site that the attacker believes the victim is validated against.

The malicious requests are routed to the target site via the victim’s browser, which is authenticated against the target site.

PREVENTING CSRF :

The most common method to prevent Cross-Site Request Forgery attacks is to append unpredictable challenge tokens to each request and associate them with the user’s session. Tokens should be unique per user session, but it can also be unique per request. By including a challenge token with each request, the developer can ensure that the request is valid and not coming from a source other than the user.

Clickjacking :

Clickjacking (UI redress attack) is a malicious technique of tricking a user into clicking on something different from what the user perceives they are clicking on, thus taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.
For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod". However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button. The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button.


  • To prevent, keep your browser updated.

Comments

Post a Comment

Popular posts from this blog

INSTALL TIGHTVNC ON KALI LINUX RASPBERRY PI

-
Image
Install TightVNC server using the following command apt-get install tightvncserver Run VNCserver to generate the configuration files. vncserver :1 VNC sessions are not linked to Linux user authentication.It is just protected by a password.So, it is better to change your password. Change your password using vncpasswd Run the command to check the VNC connection netstat -tupln Use a VNC application such as VNC CONNECT and login using the PI's IP Address. Download the  VNC CONNECT   To run VNC over SSH, we can create a SSH tunnel. Start your VNC server vncserver :1 -geometry 1280x800 -depth 16 -localhost -nolisten tcp -locahost option will ensure VNC port is listening only on local interface. -nolisten tcp - X Server will not listen on the network. Now, create a SSH tunnel  ssh -L 5901:localhost:5901 -N -f <user>@<ip> Any connection to this port will be tunneled by SSH. ENABLE AT STARTUP To enable VN
Read more

ENABLE AUTOSTART FOR X11VNC

-
Image
ENABLING AUTOSTART FOR X11VNC ON KALI LINUX RASPBERRY PI TO INSTALL VNC check my last post INSTALL X11VNC ON KALI LINUX RASPBERRY PI   O nce you've started the service, it'll run until you stop it or reboot. To Autostart it during BOOT , follow these steps. Create a file "sharex11vnc" in the directory /usr/local/bin Open a terminal, type cd /usr/local/bin this will take you to that directory. To create a file, type nano sharex11vnc Enter the following,   #!/bin/sh x11vnc -ncache 10 -auth guess -repeat -nap -loop -forever -rfbauth ~/.vnc/passwd -desktop "VNC ${USER}@${HOSTNAME}"|grep -Eo "[0-9]{4}">~/.vnc/port.txt # comment this out if you dont want a pop up telling you which port you're using zenity --info --text="Your VNC port is 'cat~/.vnc/port.txt'" press Ctrl+x then press "y" then hit Enter . This will save the file. This script will run the x11vnc during boot. Once t
Read more

INSTALL X11VNC ON KALI LINUX RASPBERRY PI

-
Image
Once your PI is  configured, update it.  apt-get update  apt-get upgrade After everything is updated, install x11vnc by typing apt-get install x11vnc  After it is installed, set up a password to connect to your PI. Type, x11vnc -storepasswd Enter your password and press enter and you're done. To connect through vnc, first you need to start the service.Type the following command to start it. x11vnc -ncache 10 -auth guess -nap -forever -loop -repeat -rfbauth /root/.vnc/passwd -rfbport 5900 -noncache Use a VNC application such as VNC CONNECT and login using the PI's IP Address. Download the VNC CONNECT   https://www.realvnc.com/download/vnc/ CHECK MY   ENABLE AUTOSTART FOR X11VNC    TO AUTOSTART IT DURING BOOT
Read more