Want to hack a friend’s Facebook account?
That’s exactly what the “Hacking Facebook” site* promises it can do for you.
Actually, though, it turns out that it’s not so much that the site can hack for you, but it most certainly can do it to you.
Security researcher Joshua Long writes that he tracked down the site after getting spam flaunting its Facebook hacking services.
What it’s really up to, he writes, is a spendy little scam that offers to let you watch a Real! Live! Facebook! Hack! … which, if you want to continue with this supposed “hack,” requires that you send two SMS text messages to a number for codes:
"In short, the site tricks wannabe hackers into sending texts to a premium SMS number (81073), which leads to charges on their next phone bill.
"The site may also collect login details that could later be used to try to hack into the would-be hacker's various online accounts (Facebook or otherwise), and of course once the spammers have your phone number they might also send you text message spam (or sell your number to other spammers)."
Long offers this rough translation of the promises made by Hack Facebook:
Our site offers recovery services for the social network Facebook, our tool ensures you to hack a facebook account without software assistance.
Hack-face uses the most advanced exploits as well as 5 methods of decryption, so it is possible in a few minutes to get the password for the targeted account. Instantly receive email logins on your choice so that you can get access.
The site mixes wording associated with legitimate security services with that of malicious hacking, Long notes, as it first offers “recovery services” for regaining account access (sounds benign, eh? Don’t count on it, he says), then jumps to the promise of hacking an account “without software assistance” and using “the most advanced exploits” on top of “5 methods of decryption” to get a target’s password.
Long says there’s also a portion of the site that offers a “Facebook Penetration Testing Tool” that uses “new technologies such as the cloud and exploit kits” to “effortlessly” hack Facebook.
What a mess of duplicitous verbiage, Long muses:
"The term 'penetration testing' implies that the tool attempts to find security weaknesses in a system with permission from the owners or operators of that system.
"I think it's fairly obvious that Facebook does not want everyone in the world to be able to hack into everyone else's account."
Definitely read Long’s full post for his hypothesis on how the site might be rigged to get your login details, on top of the premium text-messaging scam it’s pulling.
Naked Security offers some tips on dealing with mobile SMS/text spam here and Long provides a list of instructions for how to opt out of receiving premium text messages or disputing charges for most US providers.
*No, sorry, I’m not including a link to this site. I love you too much to expose you to such peril. Besides, Long fuzzed out the URL.