Hacking your Facebook inbox

How easy is it to hack your Facebook inbox? I could do it in five minutes. All I need to do is connect up via Skype and convince a blackhat dev that I really need to buy his Facebook Manager app, so that I can spy on my cheating husband. Then all I have to do is set it up with a troll account that looks like a booth babe  — and I will have my cheating husband chomping at the bit.

For the most part, social engineering tactics can play a strong role in hacked Facebook accounts. From recent scams that lure you to a Google doc to check out your friend’s Facebook password, to Facebook impostor sites that phish your login information  hackers are experts in dangling tiny hooks of manipulation-bait to reel you in.

Do you have nasty Jane or dirty John tendencies? Perhaps you have an ax to grind with an acquaintance (like one of those connections that you friended out of pity eons ago), the type that frequents Facebook akin to a lowbrow, gossip-rant-a-cow. Perhaps a nice little account hack would add a  festive poke to their otherwise mundane timeline? For whatever reason people fall for this type of crap — it generally involves personality types that are overly-trusting or gullible.

When something is too good to be true — it might just be true. Right?

A cyber-criminal’s best asset is their lie ability

According to Techopedia:

Social engineering is the non-technical cracking of information security (IS). It applies deception for the sole purpose of gathering information, fraud or system access.

Think of social engineering like you would think of a game. And like most games, this particular game has varying levels of strategic maneuvers. During the game, the attacker may utilize may different techniques. The cyber-criminal’s main goal is to get information on a target in order to advance to the next level of the game. How does a cyber-criminal move from one level to the next?

  • Research gathering [Connect-the-dots]: How much personal information is available in your online social networking profiles, Google search engine, Amazon wish list, and Spokeo? How frequently do your friends and family share, tag, tweet, or upload information about you?
  • Phishing: Generally comes in the form of a deceptive email but can also appear on social media sites in the form of shortened URLs. Facebook, Wells Fargo, Citibank, PayPal, and eBay are a few of the more convincing email scams that get victims clicking (to confirm their identity or to login to a site that duplicates a legitimate site). One of the most clever phishing scams of 2013 involved Intuit; an email phishing scam that heralded a warning about phishing scams. Never forget that the end result is always intended to capture your sensitive information.
  • Rogue Apps: It is very easy on Facebook to develop a bad app, share the app URL, and convince connections and friends to like it. One of the latest rogue apps [with a marketing campaign that began October, 2013] operates under a chief developer who sells a control panel app. The buyer merely needs to enter their app ID, secret, and a name for the URL into the developer panel. Next, they share the URL with the sole intent of “infecting” a victim — any victim will do, even a friend.
  • Impersonation: On Monday I received a friend request from an account that duplicated my friend’s account, minus her timeline. I am always cautious when I friend anyone and was quick to realize that this was an impostor account.


Impersonation is a form of social engineering simply because the cyber-criminal is relying on posing as a trusted entity — in the form of your friend. We all have friends that get emotional sometimes and deactivate or go bonkers with their Facebook account. That is, unless you have friends that are 100 percent emotionally mature…I don’t.

Always report an impostor account to Facebook.

Lets get back to that nasty rogue app

This Facebook app can view your private inbox and chat sessions, though it can’t view any pictures that you upload. While perusing hacker forums I found it quite interesting that so many people were willing to throw their friends under the bus. I guess that is the type of people these forums attract.
social engineering Facebook

Product Features:

  1. UI to manage all your app users.
  2. Automatic removal of all users who de-authorize your app.
  3. https enabled site. So your infection will be on apps.facebook.com and not any 3rd party domains.
  4. Manipulating user’s inbox to display them in a neat manner is tough. We do that for you.
  5. Landing pages for app.

Facebook hacker [AKA: Manager] is a php web app that gives access to a “target” account via Facebook’s Graph API. It takes approximately five minutes to set up. The developer recommends that buyers use a troll account to distribute the app URL (apps.facebook.com/appname) via Social Wrench.

Facebook bad app

How it works

  • The user accepts the rogue Facebook app
  • The app buyer gains immediate use/control of the user (victim) account until the user changes their password or reaches the 60 day access limit.

They are counting on the user (victim) not checking app permissions (this requires extended permission: read_mailbox); or knowing how to remove their app; and they went a step further stating in a post that users did not know how to report their app. Basically, they are counting on managing a bunch of Facebook sheep to spread a (potentially viral) app AND,  the head honcho blackhat has full permission to:

  • Post status as any user
  • Post status of any user that admins a page
  • Like cover photos
  • Update user (victims) Facebook status
  • View user inbox/chats

Do you see where I am going with this? Mr. Blackhat is selling this app stating that it is perfectly legal (to the buyers), but hey — a few buyers (who did not use a troll account) had their Facebook accounts deleted (by Facebook), and had to jump through hoops to get their accounts back. Once they got their accounts back — they were permanently banned from app development. That sure sounds perfectly legal — doesn’t it?

If you are concerned about any apps that you may have liked through a friend or connection CHANGE YOUR PASSWORD NOW and review your Facebook apps.

Facebook, listen up!

With so many buyers impressed with the overall number of victims that they can conquer, along with inbox/chat privacy breaches —  I believe it is time to remove it. Your mission is to find the main developer of this app.

Handles used: m4dh4ck3r | Skype: eatcodesleeplive

They may be using this server: http://btcmine.org/fbrat/home/index/1392967840951198/#


Facebook victims


Leave a reply