Open In App

How Hackers Use Social Engineering to Get Passwords on Facebook?

Improve
Improve
Like Article
Like
Save
Share
Report

Social engineering is a powerful method for hackers to exploit computer systems without the use of malware or computer hacking tools. To carry out a successful social engineering hack, ethical hackers need to understand how to effectively use social media and human interaction to obtain sensitive information. Social engineering is an essential skill for security experts, especially those in the IT field, as it’s used in virtually every phase of a cybersecurity project.

The skills required by ethical hackers make it possible for someone without any knowledge of computers or coding techniques to carry out serious cybersecurity tasks such as breaking into an organization’s system undetected using social engineering tactics alone. That said, it is important not to expect too much from unqualified ethical hackers who possess little knowledge of proper computer security procedures and practices since their skills are no match for malicious hackers who will always defeat them in the end via malware attacks or other forms of cybercrime activity.

Social engineering is primarily used to access personal accounts like emails and social media accounts like Facebook or to gather personal data. The hackers produce phishing pages that seem very much like legitimate ones and attempt to convince the victim that they are legitimate and trustworthy. For more information:

Example of a Social Engineering Attack:

The building of false phishing pages is the most typical illustration of a social engineering attack.

In order to get the victim to believe they are legitimate and trustworthy, the hacker first produces a phony phishing page that looks remarkably like the real one. The hacker then sends the victim the link via email or SMS and poses a threat, such as “Click on the link and login or your account will be banned/deleted,” and when the victim clicks on the link, he is taken to a fake phishing page that tricks them into thinking they clicked on the legitimate login page and then requests their login credentials, which the hacker then retrieves in order to access the victim’s account. As a result, the hacker gained access to the account quickly and successfully.

Setoolkit:

It is an open-source, free toolkit that is employed in social engineering assaults like phishing and bulk emailing. Programmer Dave Kennedy created and created the Social Engineering Toolkit. Security experts and penetration testers use this application to look for cybersecurity vulnerabilities in systems all over the world. Toolkit for social engineering targets to use offensive methods on their computers. It contains a variety of tools that can be used to learn more about phishing victims, among other things.

For more information: Social Engineering Toolkit

Practical Demonstration:

1. Open Kali Linux

2. Open the terminal and type the following command to open setoolkit.

setoolkit

 

3. Select Social Engineering Attacks

1

 

4. Select Web Attack Vectors

2

 

5. Select Credential Harvester Attack

3

 

6. Select Site Cloner

2

 

7. Type your IP address.

Note: To perform this attack over WAN you’ll need to enter your public/external IP address. To perform over LAN type your internal  IP address provided by your router. To find your IP address type ifconfig in new terminal windows and copy your IP address.

ifconfig

 

8. Now input the URL you want to clone and perform a phishing attack over (in this case Facebook)

https://facebook.com/

 

The process will complete in a couple of seconds and then the phishing website will be hosted on the specified IP address on port 80 (mostly).

 

Now open the website on other device with the IP.

Note: Make sure you are connected to same network in case of LAN

 

A Facebook Login page is displayed which seems to be legit.

 

As the user enters the email ID and password it is fetched by setoolkit

 

The password and email id entered by the victim is successfully fetched by the Hacker (highlighted in red).

 

The credentials are stored in an XML file to check over them later, to access it open this file location

/root/.set/reports

Now open the only XML file and findthe  email and password parameter.

 

To make the link more convincing, hackers mask the URL with appealing words and phrases with tools like Maskphish (check out: Maskphish)

Countermeasures:

  • Check the internet accounts frequently for any strange activity.
  • Frequently changing passwords
  • Keeping a watch on the Login activity closely.
  • Avoid clicking any suspicious or unexpected links, including those from friends or relatives, as it’s possible that they have also had their accounts hacked.
  • Installing phishing protection software.
  • Not accepting requests from strangers.
  • Avoid sharing any sensitive information on social media as doing so could get you in trouble.
  • Learn how to spot a phishing attempt by reading and understanding the email message you receive before you click any links or download an attachment.\

Note: This article is only written for educational purposes.



Last Updated : 21 Aug, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads