You start getting text messages from friends. E-mails begin pouring into your inbox. All are asking the same question — are you OK? They’ve noticed you made strange and out-of-character posts on Facebook.
You log into Facebook and see what your friends mean. You didn’t write any of it. You didn’t post those photos or videos. Or worse, you’re locked out of your account.
You’ve been hacked.
A study by Internet security firm Commtouch suggests most users get hacked at high rates even when they believe they aren’t participating in risky behavior and that 62 percent are actually unaware of how their accounts became compromised. Facebook says it stops more than 600,000 attempts daily to hack into users’ accounts. It’s unknown how many attempts are successful.
There are a lot of reasons people hack into someone’s account, said Gian Biondi, a graduate student in computer engineering and computer science at the Rochester Institute of Technology. Reasons vary from revenge for a bad service to so-called “hacktivisim,” in which you want to send some sort of political or social message. But mostly it can be to shanghai your account and turn it into a spam generator. And a lot of times as Biondi puts it, “it’s people just being jerks or just doing it because they can.”
How easy is it to hack into a social network?
Most large social networks are more secure than we think. Apps occasionally have vulnerabilities or even malicious intent. The major weakness, experts say, is the passwords used.
Ed Schipul, CEO of Web marketing company Schipul and creator of Web design company Tendenci.com, says most people are burned by poor passwords. He said the more active someone is online, the more likely they are going to get hacked. The reason is the more active you are, the more passwords you have and have to remember. Most people use the same passwords on all accounts and only vary a little on that password when they do change them.
The most commonly used passwords, according to reports, are “1,2,3,4” or “password.” Hackers will try to guess your password based on common combinations. If they can’t get the password those ways, they will try based on things associated with the person or company. For example, look on a Facebook page without strict public settings and you may see a birthdate or pet’s name. If it’s a company, the hacker may try derivations of products the company offers.
Often it comes down to social engineering, which is basically the art of manipulating people into giving up the information. There are a few types of hacks:
Phishing: If guessing your password doesn’t get them in, the next best method for a hacker is to flat out ask for your credentials through phishing. It’s extremely common and a lot more successful than you’d think. Biondi explains that a link is sent by email or through social media either from a friend or sometimes from someone claiming to be an official. The link will usually take you to a page that looks like Facebook or Twitter and ask you to enter your credentials.
More sophisticated attacks can even take it a step further and hijack your active credentials just by clicking on a link. And these attacks don’t have to be through social media. If your e-mail gets hacked and you use the same password for Facebook and Twitter, now all three are compromised.
Keylogging: A more serious method is through intrusion like a keylogger, worm or something that watches you not from the Internet but rather locally on your computer. This is way more dangerous because it could be recording all your keystrokes, meaning any interaction you have with the computer, be it bank, social media, work credentials, etc., are compromised.
Likejacking: This is when a dodgy site posts Facebook’s “Like” button, but it’s actually a way to spread a worm or other program.
Clickjacking: This is when a spammer posts crazy videos and such causing people to clink links. Usually the spammer is getting paid by the number of page views.
Hacking on your social media accounts can damage both your personal and professional reputations. It is very serious since the person is speaking as you. If your account is hacked and begins spreading a virus or spamming your friends and followers, that will probably earn you a bunch of severed connections in your social network.
Here are some prevention tips:
- Change your Facebook password frequently, at least once a quarter. Make it strong by including numbers and letters.
- Review your account settings on Facebook. Delete any apps that install themselves such as Cityville. Look at the permissions you have granted to apps, then decide if you wish to continue letting them access your account. If there are are apps you aren’t using, delete them.
- Change the password in the e-mail account you use to log in to Facebook. Use a secondary e-mail account to receive your Facebook alerts.
- Log out of Facebook every time you finish a session.
- Turn on “https://” browsing in your Facebook settings. Also, enable all security features in settings such as text notifications when someone is logging in to your account from an unknown location or device.
- Don’t accept friend requests from people you don’t know or haven’t met and don’t click on suspicious links. It’s Common sense.
What happens if you are hacked? The key is to act fast and do the following:
- Change your password. If you have multiple accounts using the same password, change all of them. I can’t say this enough, but ideally all your passwords should be unique and difficult to guess.
- Report yourself to Facebook. Facebook has pages where you can report being hacked.
- Purge any apps or permissions you don’t recognize.
- Delete any tweets, messages, wallposts, etc., that weren’t made by you. Take screenshots of them first for your records, especially if it’s a business account that’s been hacked.
- Run a malware scan of your physical computer and make sure your system is fully up to date.
- Log out of your account then clear your private data in your browser and log in again using new credentials.
While this column is focused on Facebook hacking, these tips apply to other platforms and e-mail.
This column was originally published in the Lexington Herald-Leader on Monday, July 29, 2012.