Ways Scammers can hijack your Facebook Account
For some time now we have been witnessing attacks on the Facebook accounts of some of our contacts.
These “not so coordinated amateur hackers” after taking over the victims account will start posting messages with a template similar to this;
Flip Cash Investment Platform credited me this morning. I invested 30k and I got 90k. Please oo Flip Cash just paid me oooooo. I never believed this till I did it myself. This thing is real.
Posts like these are usually accompanied by “beautiful” screenshots of bank alerts bearing the name of the account owner.
It gets more interesting when similarly hacked accounts start dropping comments that they have also received payment from the said investment scheme.
Ironically, a few gullible users on the person’s (hacked account) friends’ list will still proceed to send money to the person that hijacked the account.
Whenever people reach out to me that their accounts have been hacked I usually ask them a few questions before helping them to recover it.
Over time I have realized that their answers are usually the same or similar.
I’ll break things down in a few paragraphs.
Unlike the recent attack on Twitter, this type of account breach has nothing to do with Facebook’s defences.
There is so much advice about the use of Strong passwords like; $Fk63Hjkh+#ueha58&-$.
Just so you know; Strong passwords are not as strong as the hype.
So, how does a Facebook account get hacked?
Most definitely failure to enable Two-factor authentication (2FA). In rear cases, a social engineering attack may be involved if 2FA is enabled.
Two-factor authentication (2FA) is an authentication method in which a computer user is granted access only after successfully presenting two pieces of evidence to an authentication mechanism.
Simply put, 2FA can be likened to having two separate keys and locks for the door to your house and the door to your bedroom respectively because your bedroom stores all your valuables. The key that opens the main entrance to your house is not that important because there are no valuables in your kitchen and living room. However, having just the key to the bedroom door is useless because you need to enter the house first.
I could end there, but I am sure it won’t sink in. Let’s look at the techniques that can be used to hijack your account when you don’t enable 2FA.
1. Brute Force Attack
A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases using a brute force tool until the correct one is found.
A good Brute Force tool can generate between 10,000 to 100,000 password combinations within a second.
Even if your password looks like this; $Fk63Hjkh+#ueha58&-$, a well written Brute Force tool can generate that password in a few minutes. Worst case scenario, in a few hours.
Most websites claim to have Brute Force protection but in most cases, it cannot be fully confirmed.
2. Using one password on multiple websites
When a website with weak security is hacked, phone numbers, email addresses, usernames and passwords can be stolen. These Cyber Criminals may proceed to test these stolen credentials on popular websites like Facebook, Instagram, Twitter, etc. Chances are that accounts of a few users may be accessed with these stolen credentials.
Some of these multiple websites may be phishing websites designed to look like a website familiar to the user.
A phishing website (sometimes called a “spoofed” site) tries to steal your account password or other confidential information by tricking you into believing you’re on a legitimate website. You could even land on a phishing site by mistyping a URL (web address).
3. Use of obvious passwords
Some people use way too easy and obvious passwords like adding one or two digits to their first or last name. Some use date of birth or nicknames. These are the passwords anyone would think of first.
4. Everyone has been compromised
The Cyber Security Community believes the credentials of every internet user has been stolen from one website or another (any website, not specifically Facebook or Twitter). The criminals just haven’t used them elsewhere yet. That is why we are advised to change our passwords very often. But you still need 2FA.
2FA is Your Loyal Side-kick
With 2FA enabled the techniques listed above may likely be useless except you are manipulated by a fraudster to disclose your 2FA codes via a social engineering attack.
How do you enable 2FA?
I recommend 2FA for Facebook, Twitter, Instagram, WhatsApp and any other website that you use.
Just Google how to set up 2FA for the website or app you are interested in.
To enable 2FA I recommend using an authentication app (such as Microsoft or Google Authenticator) over SMS OTP. SMS messages are more susceptible to interception.
An Internet user with a password like this; $Fk63Hjkh+#ueha58&-$ and no 2FA enabled is more vulnerable than a user with a password like this; 1234567890 and 2FA enabled.
I would have added “How to recover your account if it gets hacked” but there will be no need for that if you take action right now. Maybe I will write about that in a different article. Maybe.
THE END
