Cyber crime expert warns against new trick used by hackers to trap naïve Facebook users

Dubai: Clicking a ‘like’ or ‘Follow us on Facebook’ button could lead hackers to steal your user name and password, experts warn.

A new trick has come to light in which cyber criminals use Facebook and other social networking sites to trick users into giving away log-in credentials, potentially exposing millions to identity theft.
XPRESS saw a live demonstration of how it works. The method called ‘cross-browser manipulation’ exploits vulnerabilities found in existing browsers (Firefox, Chrome, Internet Explorer) that could potentially help hackers harvest millions of user names and passwords.

Khaled Al Hawasli, 32, manager for security analysis at Help AG, gave XPRESS a demo in which this reporter’s user name and password were compromised by clicking what looked like a Facebook “Follow Us” button on the webpage of a restaurant infected with a “click-jacking” code. A page then popped up and I was asked for my user name and password after which my real Facebook page appeared. Almost immediately my user name and password was sent to Al Hawasli’s BlackBerry as an SMS message.

Al Hawasli said the same attack could be initiated in other social media sites such as Twitter and Tumblr. “This type of attack can in fact be used on any website whatsoever, but social media is more vulnerable.”

Al Hawasli said they discovered the bug about a year ago and his team will formally tell browser publishers about the vulnerability.

Facebook alone has about 1.11 billion active users as of May.

The hack injects malicious codes into a victim’s PC which is activated as per the hacker’s desired time — say 30 minutes later — to make it look like a legitimate Facebook page log-out. (This matches with a recent report by Seculert, which identifies seven million new unique malware-infected internet protocol (IP) addresses each day).

Each individual device, be it a PC, smartphone, X-Box or other video games connected to a network at any given time, have a unique IP address.

Al Hawasli, who previously worked as a cyber sleuth with the police, said these attacks are relatively new. “It uses deception. It works on eight out of 10 victims as soon as they click on a button or malware infected page,” he said.

“Hacking the site [Facebook] itself is very unlikely. But it’s the Facebook users who are not security conscious who may end up getting exploited,” he said.

Such attacks are also known as “like-jacking”, according to Taufiq Tamim of Norton MENA.

The browser vulnerability is not straightforward as it requires some degree of “social engineering” and is difficult to nail.

Social engineering involves tricking a person to unwittingly execute a code or application on the hacker’s behalf to carry out a fraud, identity theft and malicious hacking. For example, a hacker may hack a low-level employee’s account to steal sensitive information or data from a company.

Earlier this year Help AG in Dubai found a bug in business applications of Oracle, the world’s top database software company. Oracle acknowledged it and announced a patch in April.
So how vulnerable are ordinary people to such attacks?

“If you don’t have enough knowledge of how a hack works, it would be easy for you to get tricked,” said Al Hawasli.