Tag Archives: registrar

Hundreds of Facebook Groups Hacked

 image

(Update UTC 2100: I’ve received a reply from Erik Hjort af Ornäs, the registrar of the site itself, and have included his statement below and in the comments, as well as that of Facebook. Both deny any hacking took place)

A hacker, or group of hackers, has found a back door into taking over Facebook groups, and is now doing so, claiming it to be a public service. It has taken over up to 300 different Facebook groups so far.

This is an example of one:

image

On each of them the group name is changed to Control Your Info, the group logo changed and its description is altered to

Hello, we hereby announce that we have officially hijacked your Facebook group.
This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly.
For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights”. But have no fear – we won’t. We just renamed it Control Your Info. Because this is really all we want:
Think about the safety in your social media life to the same extent you do in your real life.
Watch the videoclip for more information or check out www.controlyour.info for more tips soon!
We promise to restore your group name and leave the group by the end of next week. Don’t worry – we won’t mess anything up.
Best regards
/controlyour.info

A message is then sent to all members of that group.

The method is explained on the hackers’ website:

Facebook Groups suffer from a major flaw. If a administrator of a group leaves, anyone can register as a new admin. So, in order to take control of a Facebook group, all you really have to do is a quick search on Google.

When you’re admin of a group, you can basically do anything you want with it. You can change it’s name, and the groups members won’t even get a notification of it. You can send mails to all members and edit info. This is just one example that really shows the vulnerabilities of social media. If you chose to express yourself on the internet, make sure the expressions are your own and not a spammers. This isn’t some kind of scare tactics, nor is it a hack, it’s a feature that can be used, and is being used, in bad ways. Remember, control your info! Also, this project is strictly not for profit and done for a good cause.

It’s not clear to me how they search on Google for recently departed admins, but I’m sure it’s relatively easy.

Neither is it clear who is behind the website itself. The site is registered to one Erik Hjort af Ornas of Stockholm. I’m emailing him to seek more information. Here is his statement:

Our main goal is to draw attention to questions concerning online privacy awareness.

We have seen too many examples where friends and relatives of ours have suffered from their lack of in-depth knowledge concerning their online presence. After some research we discovered  this is a wide spread problem. People have even lost their jobs over Facebook content. So we wanted to do something about this.

Our method of choice only serves the purpose to prove our point and put emphasis on how easy it is to lose track of a part of your online presence. If we wouldn’t have communicated this way, our message would probably have fallen into oblivion the moment it got out.

So, what exactly did we do and how?

We discovered that many groups on Facebook are left without an administrator. All we needed to find these groups was one quick Google search. The search results also revealed many groups that already had been hijacked by various people. Their intentions remain unclear.

So we simply joined 289 open groups and made ourselves administrators. We did not hack anything. Once we were administrators we owned the groups and could have changed any setting. We chose to change the picture, the name and the description of every group. Our intention was and is to restore these groups to their original form and find a suitable admin among the members. To be able to do this, we first backed up all the data we wanted to replace.

During the process we broke the terms of service, as defined in the Statement of Rights and Responsibilities of Facebook, and were rightfully banned:

§ 4.1  “You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission”.

We created fictive accounts for one reason: we wanted to put focus on our message rather than our persons. It also eased the process of joining and administrating this large number of groups.

Facebook is apparently not aware of this bug in their software. In response to an emailed query, .Facebook claims there is no bug in their software, that any hacking took place, nor, apparently, that there was any mass takeover of groups. According to a spokesperson:

There has been no hacking and there is no confidential information at risk.  The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group.  Group administrators have no access to confidential information and group members can leave a group at any time.  For small groups, administrators can simply edit a group name or info, moderate discussion, and message group members.  The names of large groups cannot be changed nor can anyone message all members.  In the rare instances when we find that a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups.

My comment on this: 300-odd Facebook accounts hacked—or usurped, or hijacked, or whatever you want to call it—is not a ‘rare instance’. What’s more, the groups I checked were very much still active. I frankly don’t find the Facebook response particularly helpful or reassuring.

It’s hard to see how this public service helps—the group, or individual, should be approaching Facebook and helping them plug the hole. This tactic is likely to sow confusion and fear among the Facebook populace, and possibly lead to the erasure of some treasured data on those defaced groups.

The Gates Are Open, Phishers Welcome

I’m probably naive, but I’m gobsmacked that, nearly 24 hours later, a phishing website is still active despite my alerting the registrar and host of the domain in question. The only access was via a form so I’m not able to record my email to them but it was shortly after I posted the comment above.

I’ve not been able to contact the bank in question because there’s no media contact that I can find on their website. The scam has been recorded here and the Halifax website seems to be down so perhaps something is happening. But why is the original phishing site still up? And why don’t banks have an easy way for members of the public (or journalists, for that matter) to alert them to such scams? Millers Miles, which records phishing attacks, has recorded more than a dozen against the Halifax in the past year. 

technorati tags: ,

Phishing and the Peril of Fonts

I’m amazed at how lax domain registrations still are, despite the fact that phishing is now so much a household word that even my mum’s heard of it. But here’s another trick being used to try to dupe those people who still remain gullible: change the “o” in online to “c” because in many email readers it will look more or less the same:

Halifax2

Which it does, actually. Quite a neat trick, if you like that kind of thing. (There really is a Halifax Online, and the website address is exactly the same, minus the o/c thing. Even the homepage is the same Javascript login page as above, and everything looks the same minus a note at the bottom saying the bank never asks for personal details via email.)  Clicking on this link will take you to a webpage, that, surprise, surprise, looks very much like the UK’s Halifax Building Society:

Halifax3

I haven’t investigated it further, but I’m assuming the data entered quickly finds its way into the pockets of scumbags, and there’s probably some other nice bits and bobs being loaded onto one’s computer as it happens. The site is still live as of writing, with the address in the first screenshot above.

What amazes me is that the registrar won’t bat an eyelid at what is obviously a very dodgy domain name — Halifax being quite a well-known brand in the UK — and, indeed, even accepts the registration as a “private” one, and therefore allows the person registering the domain to not submit any address or phone number:

The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service.

The registrar in this case is PIPEX Communications Hosting Ltd, also known as 123-Reg.co.uk, whom I’ve asked to comment on this. Halifax is also being told about it, just in case they don’t know.

More On Phishing And Top Level Domains

Further to my posting on top level domains being registered with clear criminal intent (the example I used was paypal.de.com, in ‘How to make a phish look real’) I just received this from Joe Alagna, Manager, North American Markets for CentralNic, the registrar for the TLD in question. Here’s his reply in full:

I wanted to respond to your blog article related to phishing. I am the Manager, North American Markets, for Centralnic and I want to assure you that we are very concerned about the problem of phishing as well.

There are a few issues in your article that concerned me…

1. Although we do not place restrictions on our domains, they are no more prone to phishing use than many regular ccTlds. I have personally received phishing messages based on Chinese, Polish, Czech, and other ccTlds. There are many ccTlds that do not have restrictions and the trend amongst County Code operators is to reduce those restrictions on residency, etc.

The reason for this is that ccTld operators have found that their sales increase when they reduce restrictions. It’s a double edged sword; more sales, more potential abuse.

My point however, is this… You are correct about our domains being easy pickings for phishers, but I think it is unfair to have singled us out because of one example (which we will investigate).

2. Centralnic would like to make it known that we are very willing to help if someone thinks that our domains are being used for fraudulent purposes. We do manage a live whois registry which can be viewed by the public and by the authorities to determine registrant details and which can be queried by any anti-phishing tool. Our whois data can be publicly viewed here.

3. Regarding your contention on registrar responsibility, there are ongoing actions within the registrar/registry community to fight fraud and phishing. The most important of which is verifying whois authenticity. You can read about some of the ongoing work here (PDF).

The problem is that with over 60 million domains registered world-wide, it is very difficult to know that each registrant is real. The industry is trying to get better at that.

4. Finally, we work with a few world renowned brand managers like MarkMonitor.com who regularly try to educate financial institutions about these problems. Companies like Bank of America have registered most all of our domains to protect their customers. It’s a little expensive, but definitely a bargain when it comes to the cost of fraud and phishing. See here.

Financial institutions have the largest risk and responsibility in this. I just want to assure you that they are not in this fight alone and that Centralnic is very sensitive to the problem.

Articles like yours are very important because when all is said and done, the best protection is an educated end-user. I just want you to know that Centralnic is committed to the important battle against this type of fraud.

Thanks for the comment, Joe. I notice the website in question has been removed.