Today I desire to discuss with an interesting case, a hacker successfully took over a Facebook account with a social engineering attack.
The hacker demonstrated that it is possible to bypass any security measure by using a fake document, in this case, a forged passport.
The attack occurred on June 26, the attacker contacted the Facebook support team posing as Aaron Thompson, a legitimate Facebook user that resides in Michigan, US.
The news was first reported by Lorenzo Bicchierai from Motherboard, the hacker sent the following help request to Facebook:
“Hi. I don’t have anymore access on my mobile phone number. Kindly turn off code generator and login approval from my account. Thanks.”
Facebook replied to the request by providing the instructions to regain the access to the user’s profile. In order to demonstrate that Thompson is who he claims to be, Facebook requested a scan of a photo ID and a description of the problem suffered by the user.
Curiously, the information in the fake document doesn’t match the ones used for the Facebook profile of the real Thompson.
The support staff ignored the inconsistencies and granted the hacker the access to the Facebook account.
Below the fake passport used by the hacker:
The true Thompson learned of the hack when Facebook sent him an email explaining the change in his account settings:
“Thanks for verifying your identity. You should now be able to log into your account,” a Facebook support employee wrote in an email, which Thompson shared with Motherboard. “We’ve also turned off login approvals to help prevent you from getting locked out of your account again in the future.”” reported Motherboard.
“At that point, Thompson tried to get his account back, telling Facebook that the person who sent the passport and requested the security features to be disabled wasn’t really him.”
It was too late, the attacker had already gained access to Thompson’s account, fortunately, he used the profile only to send out a few messages to the hacked user’s friends. Most notably, he sent an image of his genitals to the victim’s girlfriend.
He sent an image of his genitals to the victim’s girlfriend, but this is a minor damage.
Thompson was shocked by the attack, so he decided to share his misadventure on Reddit:
“I’m obviously pretty devastated as that’s a lot of years and money down the drain.”
Of course, the Facebook support team helped Thompson in regaining access to his profile and business pages.
A Facebook spokesperson confirmed that internal procedures could avoid this kind of incidents.
“Accepting this ID was a mistake that violated our own internal policies and this case is not the norm.”
Once again, security awareness is essential to avoid social engineering attacks, a trained employee is an efficient countermeasure in cases like this.
(Security Affairs – Hacking a facebook profile, social engineering)