Sunday, December 4, 2011

When Social Networks Become Social Engineering Tools for hacking - A Case study of hacking 10 Facebook friends in 10 minutes

These days hacking community is buzzing with social engineering techniques for hacking. People discuss what can be the best social engineering technique they can adopt. These days I am addicted to 2 things very badly. One is metasploit and other is Social networks( facebook to be precise).

So I though of mixing these two addictions of mine to craft a special Social engineered attack vector. I don't know weather anyone has ever thought or used this technique before but HackingAlert is certainly the first to report about it( If its not on google, its no where).

In my attack vector I created a malicious url that exploited a known vulnerability of Internet explorer. Then I shared this link on social media through my account. Now here comes the concept of Social engineering. Since the malicious link is posted on my wall or in my tweet so everyone in my friend list or followers tends to trust it.
They consider it as a normal link to some useful information. This is where the use of social mediums like Facebook becomes prankey.

In my several posts I have always laid stress that we should not trust everything that appears in your feed or tweets. No matter if it is shared by our friend or colleague. You should first examine it and see weather it looks suspicious or not. The best way is to Right click and copy the link and open it in a different browser. This will protect your social identity from any threat like spam or session hijacking etc.

Let me give you a quick look at my attack vector. Here is the link that I shared on my wall which appeared in all my friend's feeds.

Immediately after sharing this link, my friends started commenting and clicking on it. It is just a malicious link which can exploit a vulnerability in Internet Explorer and allow arbitrary code execution. 
So all I had to do now is set up a listener for back connections and sit back and wait. It's exactly like catching a fish. You attach some food in the hook and wait for fish to come and eat it and in-turn get caught (hacked).  
Look at the image below. Lots of IP addresses were reported in my console. Those who were lucky (not using IE) got rid of this attack. The error ".net CLR not found" represents those calls in which Internet explorer was not the browser in use.

 If you notice the scroll bar in the right of the image then you can imagine how many back connection requests I got.
The luck ones who wrere not using IE were safe but there were some unlucky ones as well. To be precise I got around 10 active sessions in first 10 minutes. And then I tweeted the link on twitter with a catchy statement. In an hour I had more acive sessions than I can remember. 
Successful execution of this attack vector provided me with a direct shell connectivity through which I could control the attacked users. It will be a cake walk to start a key sniffer to record key strokes or at worse install backdoors ( though I didn't do these things). 

There is something serious I want to discuss here. If you have followed everything so far in this post then you might have figured out that there is hardly anything that Facebook can do to prevent this types of attacks. 
If my friend is using an unpatched version of IE browser and opens any link which appears in his social profile without giving it a second look then this is his mistake. Its like banging your own head on the wall. 

So I will end this post with two conclusions which I want that all my readers should follow strictly :

  1. Always use an updated version of browsers.
  2. Don't trust everything that people share on their social profiles. You never know when you can become the FISH caught in the hook. 

Note : If you are one of my friends who read this post and also clicked on the link which I shared then I am really sorry. I had to do this in order to build this post. But I have caused no harm to your system. It was purely educational purpose. Hope you are not offended. 



  1. lol.................i was one of the fish there :P :P heheheh......but my brwser was opera.......

  2. @sai charan : sorry bro...I am happy you are not an Internet explorer fan ;-)

  3. haha never mind bro......but you should also say us about executing spywares and someother things wen we just click on links,,,,,,

  4. I wonder, How did you obtain these direct connection. Wouldn't it still go trough a second hand connection.

    For example if Im skype, and call another person, is that a similar direct connection. Can I implant a keysniffer just over that connection?

    Anyways, can you make a tutorial on how to implant a keysniffer trough that connection that you had with just that malicious link?

  5. @prayanthem : yes its a direct connection...I was able to connect to the systems directly. Starting a keysniffer is easy on the target. Once you have compromised the target, then you can execute a simple script which can sniff keystrokes..In this example I have used has a keysniffing script which can solve our purpose.

  6. .you must got a real facebook hacker hear


    do u wand a real facebook hacker pls click hear

    hack your friend fb account software free download