The Mac Security Blog

Security & Privacy

“Facebook Hacking Site” Leads to Costly SMS Scam

Posted on by

Spammers have a tendency to attempt to exploit any medium in order to drive traffic to their sites.

Everyone who has an e-mail account is acquainted with e-mail spam. If you use social networks like Facebook, Twitter, or Pinterest, chances are you’ve also seen spam posted by spammers or hacked accounts on those sites.

Anyone who manages a fairly popular blog or news site is also aware that spammers try to leave comments as well.

I find it somewhat amusing when spammers attempt to leave comments on articles at my own security blog, the JoshMeister on Security. Typically these attempted spam comments aren’t noteworthy enough to bother writing about.

But this time, someone attempted to link to a site that supposedly allows you to “hack a Facebook account.”

Following is a rough translation of part of the site (based on translation attempts by Google and Bing):

Our site offers recovery services for the social network Facebook, our tool ensures you to hack a facebook account without software assistance. Hack-face uses the most advanced exploits as well as 5 methods of decryption, so it is possible in a few minutes to get the password for the targeted account. Instantly receive email logins on your choice so that you can get access.

So at first they claim to offer “recovery services,” implying that if you lose access to your account you can regain access via this site. (Don’t count on it.) Then immediately after that they revert to what the big headline says: that the site enables you to “hack” a Facebook account, which implies malicious intent. So which is it?

And just to make sure they cover all their bases, there’s also a section of the page that claims that the site offers a “Facebook Penetration Testing Tool” that uses “new technologies such as the cloud and exploit kits” to “effortlessly” hack Facebook.

The term “penetration testing” implies that the tool attempts to find security weaknesses in a system with permission from the owners or operators of that system. I think it’s fairly obvious that Facebook does not want everyone in the world to be able to hack into everyone else’s account.

More concerning than the site’s claims is the fact that the site has a Login page.

Given that many people reuse their passwords across multiple sites, this site may be sneakily collecting usernames and passwords that could potentially be used to access a would-be hacker’s Facebook or other online accounts.

Thus, if someone stumbles upon this site and tries to use it to hack someone else’s Facebook account, they may end up getting their own account hacked instead.

Ah, irony.

The site also attempts to collect mobile phone numbers from wannabe hackers. If you were to type in a Facebook page name and click on the “Recuperer ce compte” (Recover this account) button, it loads a page that pretends to show a real-time hack of a Facebook account, and then redirects to another page that asks you to send two SMS text messages to a number to get codes that will allow you to pay and continue with the alleged hack.

There’s no mention on the site of exactly how much this would cost you, however.

While it’s doubtful that the site can actually hack Facebook accounts, the site operators clearly could send you SMS spam or sell your number to other companies once they’ve obtained it.

But one could argue that the biggest danger is that it could steal your money.

Texting this number may also result in an attempt to automatically bill you through your cell phone service provider. A Google search for SMS 81073 reveals complaints on several French-language forums in which users claim to have been charged about €4.50 per text message. Evidently, 81073 is an example of what’s known as a “premium SMS” or “premium messaging” number. Given that this site is asking for two codes (presumably requiring you to send two text messages to that number), if you text the number twice you’ll probably see at least a €9 (U.S. $12) charge on your next phone bill.

So the moral of the story is that you should never trust sites that claim to let you hack into someone’s account (or, for that matter, any sites that are advertised via spam).

For additional tips on how to avoid falling victim to premium text messaging scams, or how to dispute charges that show up on your bill, see the additional information I’ve written up in a companion article at the JoshMeister on Security. There you’ll also find suggestions for preventing comment spam on your blog or news site, as well as details about the spammer herself (if the spammer is indeed a woman) and the scam site she attempted to advertise.

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →