Facebom: A targeted bruteforce tool poses a serious threat to individuals and enterprises

Recently,”teamkelvinsecteam’,  one of the most active hacking groups released Facebom on a deep web forum; Facebom is an individualized brute force software targeting Facebook. Due to the targeted nature of this tool, the GroupSense research team believes Facebom poses a threat to individuals and enterprises alike.

So what if everyone’s Facebook account gets hacked?

You may be wondering why you’re reading a blog about a Facebook password cracking tool when you’ve got business cyber risk to manage, so I’ll get straight to it. Most people within and outside of your business have a Facebook profile. In fact, Facebook has 2.27 billion users and adds 500,000 new users every day (that’s 6 new profiles per second).

It is likely your enterprise team members are connected to each other and communicate via the FaceBook Messenger app. Given that Facebook appears to be a harmless medium to communicate –  and unless you employ an effective content filter, CASB, and MDM solution –  is outside the purview of many enterprise security programs. Attackers could utilize this channel to perform corporate espionage, phishing, and even data exfiltration.

It’s a complex problem, and it starts with your employees, customers, partners and their (Facebook) passwords. Here are some areas where effective use of Facebom could impact your organization:

Malware / Ransomware distribution

Hacked accounts can be used to deliver weaponized PDFs or dangerous links that contain malware or ransomware to an individual’s Facebook contacts.

Password Re-Use

Because login credentials are often hard to remember, people have a natural tendency to use the same usernames and passwords for many things. This means that some of the passwords exposed using this brute force tool may also be the same password your employees use to access their corporate email, secure servers, or other services tied to your organization.

Credential Stuffing

Credential stuffing attacks make it easy and efficient for hackers to use bots to launch high-speed login attempts against a website. With password re-use, the success rate goes up. What web-based logins on your domain would make a great target for credential stuffing attacks?

Phishing / Whaling

Attackers have been wildly successful in using social media to gather information about an individual in order to build highly targeted, believable, and hard to detect campaigns to extract money from organizations. With access to Facebook accounts, attackers can freely mine for this information, aiding their phishing campaigns.

Hijacked profiles

Once a threat actor has cracked the password, they control that user account. Hijacked accounts can be used to propagate fake news and accelerate disinformation campaigns aimed at influencing public discourse.  Check out our recent research to learn more about this.

Sign into other application with Facebook credentials

Many applications rely on Facebook credentials for their own authentication, which means that once a Facebook account is hijacked, the threat actor also has the ability to log into any other applications that make use of the Facebook credentials as their method for authentication.

What we found

The section below describes additional detail and screenshots demonstrating the findings.

Analysis

About the source: Raid Forums is an English-speaking community and platform for sharing database dumps, leaks, cracked accounts, and tutorials for schemes. Hacking is an encouraged topic while carding is banned. Threat actors are using this forum for exchanging and trading corporate data and user accounts.

About the incident: “teamkelvinsecteam” describes a tool for brute forcing Facebook passwords and refer to its location at GitHub: https://github.com/Oseid/Facebom.

About the target: Facebook

Screenshots:

Figure 1: In the screenshot above, we can see the software targeting a specific email in order to breach the password. There is a word list that contains a huge number of possible words which have to match the victim’s password.

Figure 2: This screenshot shows some options for how to set up the brute force – #1 Facebook ID (target); #2 Word list – (list with specific words); #3. Optional feature – proxy setup. #4 Specify target (Facebook Profile URL to get the victim’s ID). At the bottom of the page, the author left a GitHub link providing a free download of the tool.

Conclusion

The ease with which social media accounts can be hacked, coupled with their far-reaching impact, make them an attractive target for threat actors and a huge risk vector for your organization. Below are steps your organization can take to mitigate the threat.

Strong password policies
Multi-factor authentication everywhere
Security awareness training
Monitoring for breached credentials
Web Content Filtering
Cloud access broker solutions (CASB)
Mobile device management (MDM)

Wondering if you’ve already been impacted? Use our lookup tool, which contains nearly 12 billion records, to see if your email address has been compromised in a data breach.