How to Hack Facebook: The Trick is Social Engineering

It is often neither security loopholes nor password cracking that allow people access our private information on Facebook without our approval. It’s actually our own human nature: the trust of a friend’s name.

Whether you like Facebook or not, the truth remains that Facebook is one of the best mainstream websites around when it comes to providing options with which you can protect your privacy.  Every time anyone discovers a new method for hacking private information, the guys at Facebook patch it the next day. What their security engineers cannot do though is teach the users to tell a social engineer apart from a friend.

And that’s why you need to be aware of this: the easiest way to hack Facebook today is by borrowing a chapter from psychology class. Hackers are not hacking as programmers anymore, they’re hacking as social engineers.


Don't add anyone as a friend

Don't add just any person as a friend

Using Social Engineering to Hack Facebook

The hacker wearing his social engineer shoes will probably do something like this:

1. Learn Who Your Friends Are and Collect Them

If your friend list is public, this social hacker, who we will call “Schmuck”, will first familiarize himself with your friend list. Then, he will choose a friend of yours, which we will call “Buddy”, who has enough mutual friends with you.

Schmuck will choose a friend with many in common with you

Schmuck will choose one of your friends

Schmuck will steal the identity of Buddy, by creating a profile with the same username and profile picture. He will then send friend requests to the mutual friends between you and Buddy (excluding yourself) and pretend that his original account was hacked.

Schmuck creates an account with Buddy's identity

Schmuck creates an account with Buddy's identity

Schmuck now starts the process of collecting confirmed friend requests.

2. Social Pressure You Into Accepting Him

Once Schmuck has a good enough number of your unaware friends on his list, he will go for the big fish: Schmuck will send you a friend request, using Buddy’s fake identity. Given that a) it appears to be your friend, b) your mutual friends have this person on their lists as well, and c)  Schmuck sent a nice little paragraph explaining how he lost his password and had to start a new account, you will probably accept.

Schmuck will send you an email claiming that "Buddy" lost his old account

Schmuck will send you an email claiming that "Buddy" lost his old account

3. Gloat at Accessing Your Profile

Schmuck has obviously succeeded in accessing a private profile. If his initial purpose was snooping in your private life, you probably have nothing to worry about, except for some embarrassment. That might not be his purpose though…

4. Hack Facebook Account/Send a Virus

… there are good chances that Schmuck went through all this trouble to do something slightly more evil than just snoop; such as steal your password or send you a virus. He might send you a very unassuming message with a link that leads you to a Facebook sign-in page, which many people would use to re-sign in as they would attribute it to expired cookies. This sign-in page would record your log in info, which Schmuck will use to send a similar link or links to other compromised sites to your friends.

Protect Yourself

So, as you can see, the most human side of hacking is just as dangerous as the more geeky one. Protect your Facebook account to avoid Schmuck and other schmucks like him by being careful with which friend requests you accept, verifying with your friends in case you get an email that claims a lost password, double checking the url of any page that requests you to log in again, and never disclosing personal data online.

[Disclaimer: No Facebook accounts were hacked for the writing of this article. Special thanks to NewsNIdea for the image inspirations.]

Comments and Reactions

10 responses to “How to Hack Facebook: The Trick is Social Engineering”

  1. […] [read full article on ThoughtPick] Share the love :) […]

  2. Beiruta says:

    First of all, I just love how you chose “Schmuck” and “Buddy” to represent the hacker and the hackee :P

    Second of all, I think this is simple yet real and this post helps avoid being tricked into that kind of hack!

    Thanks :)

  3. Amer Kawar says:

    Nicely written, Roba. What you listed is just one way. Think of the security questions. In most cases it's information you have listed on your CV or can come up in any casual conversation. Or, the attacker might know someone within the organisation who trusts him, and use that trust to send in a trojan virus and hack into the company's network.

    My 2 cents :)

  4. Roba says:

    Beirut, thanks :) Yup, I know many people who got tricked with this (although they didn't realize that that's how it happened), so hopefully, people will be able to avoid that now.

    Amer, thanks for the topic heads up. It was a great read.

  5. vivek says:

    nice post dude . keep writting

  6. LimitedHack says:

    Facebook Hacker v.1.3 – Full Version
    Yahoo Hacker v.10.2 – Full Version
    Hotmail-Msn Hacker v.1.13.0 – Full Version
    Aim Hacker v.1.0 – Full Version
    Skype Hacker v.3.6.11 – Full Version
    Steam Hacker v.1.1 – Full Version
    Myspace Hacker v.7.11.0 – Full Version

  7. Tameemmohiuddin says:

    nice but whts the key

  8. Ridhwan says:

    what is the passward dude , I have completed the surveys but no passward was send to me
    Plzzz Reply

  9. Anonymous says:

    An interesting insight to how your Facebook account can get hacked.
    facebook fans

  10. Booboo says:

    Good article Very informative.

Latest pingbacks

©2010 thoughtpick, copyrights reserved.