Facebook group being hacked

A facebook group with 6 admins is being hacked.  I suspect that one of the admins has accidentally allowed someone to get their password.

The hacker comes in at night, using a username that is not an admin, and not in the member list. They delete everything - all threads, all posts - then disappear.

That sounds to me like they are changing their name while online and within Facebook, so no one will see that they are using a specific admin account, but that's just a guess.

Facebook security is a joke.

Facebook has no way (that I can find) to even report it.  If I could report it, I would have a chance to get Facebook to look in the database log. The FB database logs would certainly have the IP address of the hacker. If I could get that, I would file a criminal complaint with the police.

Anyone have any ideas?

Thanks,

Dennis
dtleahyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ujitnosCommented:
Communicate internally with the 6 admins and change the password.
0
btanExec ConsultantCommented:
If it is insider threat, it is not easy and I was thinking if we can communicate with the bad, sent him in email and get email response header which has the ip. But doesnt seem the bad will be cooperative. May want to take a look at the account hacked item

 http://www.facebook.com/help/security
 http://www.facebook.com/help/hacked
0
dtleahyAuthor Commented:
I did communicate with them, and told them to change FB passwords. I still wonder if there is a keylogger or a compromised wifi connection or other way that the hacker (probably) got one of the admin passwords.

The hacker, if they did have an admin password, could have deleted all other admins from having admin privileges, or could have deleted them all. The hacker could have deleted the group. But the hacked simply deleted ALL threads, leaving an empty group. Seems like that would take a while, but according to some other group member who happened to  be on the page, the hacker first inserted a bunch of gobbledygook spam on a number of threads, then 2 minutes later, the group page was completely empty. Can an admin even do that? I wonder if there is another exploit that required the hacker to insert a bunch of spam comments first.
0
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

btanExec ConsultantCommented:
Apparently administrator can grant those rights to other to do those stuffs anI believe you are not the only victim. We can try to isolate the problem by disabling leaving one admin and see if the attacker still come in, and if so I sense that it is not as intelligent but more automated like bots. Doing it in fast fashion does cause alarm, but we will want to avoid false positive. Also the previous admin can try not using the machine they usually do to surf web. Shut them if possible and monitor activites, if the attacker still come in, apparently they are persistent and definitely more towards bot type, controlled by by some C&C server.

Can run malwarebytes or rootkit razor. Also try using complex password not simple one. There is also trojan such as koobface that spread really fast with friends made and accepted...
0
dtleahyAuthor Commented:
Started a new FB group. Different admins. Both the original and the new group got hacked last night, all threads/posts deleted.
0
dtleahyAuthor Commented:
Well, it appears that it is very easy for anyone to get Facebook passwords.

Watch the video on this page (takes just 36 seconds.) Yoll see this hacker software blows right through the security of Facebook. And this was found just in a quick Google search - there are probably other programs that do the same thing. The security of Facebook must be ridiculously easy to break.

*link deleted by posting member's request by Netminder 18 Nov 2011*
0
dtleahyAuthor Commented:
Now I see that it takes FOUR DAYS to delete a question, so that is not a solution. I alerted the mods, and asked that the URL above be deleted.

in the meantime,

DO NOT GO TO THE LINK IN MY POST ABOVE.

VIRUS SITE!
0
btanExec ConsultantCommented:
Noted thanks. Just to add last commemts, if using infected machine, no defence or security can be assumed unless in clean slate state. Facebook has security setting to so called harden further the account access but weakest link is stil the device and user accessing them. They are the low hanging fruit for the hackers....
0
dtleahyAuthor Commented:
OK, so the way the attacks come (and they keep coming), there is a username that is not familiar, and a flood of junk posts is thrown onto the wall. They come in fast and furious, one after another. Probably has to be a programming loop.

They appear to be using something like this:

(link to a YouTube video)
http://www.youtube.com/watch?v=oBMLt1G6qxU

But, then in step 2, they quickly delete posts. I have only been online once to see a few seconds of it, but it appears they then use an exploit to loop through thread elements and delete them (which deletes the whole wall.)

I need to know how to stop this.
0
btanExec ConsultantCommented:
Tough to say stop the "bot" since it is persistent to get into your facebook accounts. It looks to me probably is to even stop them from coming in with facebook assistance means...

a) Some Facebook assistance below.
> Facebook's Roadblock tool can help verify your identity and secure your account against the spammer. http://www.facebook.com/hacked/
> If a scammer gained access to your account password via phishing attack, you can fill out Facebook's phishing report http://www.facebook.com/help/identify.php?show_form=account_phished
> Provides a separate form for reporting a malicious link or websitehttp://www.facebook.com/help/contact.php?show_form=report_phishing

b) Implement a two-step login process. If you enable this feature, Facebook will send a verification text to your mobile device before allowing access from the new location.
https://www.facebook.com/notes/facebook-engineering/introducing-login-approvals/10150172618258920

c) If you fell for a rogue app and mistakenly clicked "Allow," or if you notice excessive activity on your account, you should edit your list of apps and remove any suspicious ones. To do this, open the drop-down box under your Account tab, click "Privacy Settings" and find the "Apps and Websites" settings management tool (at the bottom of the page).

d) Edit your interests on your profile and remove any links to spam sites you may have acquired.

e) One of Facebook's new security features may also notify you of suspicious activity on your account, such as excessive "Likes" or posts.
http://www.facebook.com/notes/facebook-security/keeping-you-safe-from-scams-and-spam/10150174826745766
0
dtleahyAuthor Commented:
Hi breadtan, I appreciate you trying, but this is all stuff I have seen in Facebook. I think they gave up on taking any input that has to be read by a human, and have gone to all automated algorithms.

Today, I received a message and a video with death threat, from this group of hackers.  I need to identify exactly who they really are. If there is no way to contact a human at facebook, I'll try the FBI.
0
btanExec ConsultantCommented:
Suggest the fbi then, they can be persistent and not fruitful by doing alone. can also seek iccc advice too... http://www.ic3.gov/contact/default.aspx
0
dtleahyAuthor Commented:
While authorities look into the threat, I would still like to help the group out in solving the issue, if possible.

So, here's an exploit in progress:

Step 1: flood the page. Note that these posts are at most one minute old, yet are time stamped from 23 hours ago. http://img12.imageshack.us/img12/7870/9d29ec5f1e4c4a72a6e64e2.png (scree shot image of Spam post flooding a Facebook group wall)

Step 2:??? (i don't know, but when they run their routine, the result is that the Facebook group page is blank.

Dennis
0
Russell_VenableCommented:
The problem with social media sites are they are rich in javascript content... So suggesting to turn off javascript is not really a option since it disables most of facebooks features. The mitigating factors are:

-Dirty admins. 6 admins is a lot... Then again you did say that when it first happened that the links disappeared rapidly(2 minutes). This part could just be the admins deleting the "Spam" content. I used to defend groups from these attacks.
-Users viewing videos posted. Example of Koobface described by Trendmicro. Believe it or not this is a way criminals get into your system.
-Following a fan page that has a steps instruction that instructs and entices the user to run a javscript bookmarklet in there browser. Seen this way to much. You wouldn't believe the number  of gullible people out there.
-A big portion fall's on poor internet surfing habits. I see it every day.

Simply put. If the user does not care about security they wont have any. If the user does care, then they can follow this Facebook Best Practices list and also Facebook Privacy and Security to give yourself better protection. for facebook to start out on.


When this "hacker" messaged you with a video. Was it a facebook video or some other kind like youtube or something else? I would also suggest you not make any contact with these people. Block and report are good tools on facebook. If the threat videos reside outside of facebook there are a few things you can do. You can trace where the video is coming from and report to the ISP about cyberbullying and life threats coming from this domain.  There really is not much else you can do legally. If they contact you view email that is not a good sign and now they know where you are located! I seriously doubt most people use anonymity in emails these days using a anonymous proxy. Emailing these people will lead to other bad things like identity theft. So take it from this expert. Keep calm. Stay smart. Limit contact. Screen/Limit administrators 6 is a lot! Do you really need that many? Teach them better administrator tactics and make sure the heed to best practices. Breadtan brings a important point where you have a second login verification. Use this if you can. Anything that you can add to your advantage do so. If you go by the checklist you should have good antivirus protection, firewall setup, and be better informed. The rest is mainly making good choices.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
in the same light with Russell_Venable, there is little user can do if the source is not coming from any of the admin machine which I believe is some other machine which is unknown and not straightforward to trace through. Unless they leave trails like Russell shared. If they post image, can try to download image and see its EXIF (if avail) for geolocation and other details but it may not be accurate. If we are facing bot machine, it will not be fruitful even tracing it down. The idea is to prevent them from coming in - we are already in the reactive state and best means is really to make it harder for them to login into your account. The Facebook measures should still be useful to deter (but not stop) if tried. As end user of Facebook, we can only do so much, we should understand the limitation and escalate accordingly.  
0
dtleahyAuthor Commented:
There are videos on YouTube that show how to run a script to (loop) spam multiple posts to a wall.
There are videos on YouTube that show how to run a script to (loop) clear all posts from a wall.

These are external scripts, and so I suspect that only Facebook's own programmers could change the Facebook code to stop these type of attacks. I do not believe that there is anything that I can do to stop this person.

At first, I thought it had to be an admin, but now believe that was a red herring. I don't think an admin account has anything to do with this. I do think the attacker HAS to be in the Facebook group as a MEMBER. As a member, they have posting privileges within the group, so they can run the spam loop script. They seem to do this every time that they want to clear the entire wall off, so the 2nd script that they run must have something to do with the flood of posts that they posted.

The group has nearly 800 members, so it is really not possible to go through the list each time there is an attack to see what changed, but someone's identity does change (or the leftover fake identity used does remain.) The attacker may have multiple sockpuppet accounts all listed as a member (probably this is true.)

There may be yet another script/hack to allow members to add a new member to the group (even though the FB Group is set up so only admins can add a member.) I was online during one attack, and there was a "new"  member with a Russian-looking name at the top of the list of members (only during the attack), and once the attack was finished (and the wall was wiped clean), the Russian member was gone. May have been a new member, may have been a member whose name was temporarily changed. Other times, I have seen an a member name that was not there before, and they have a "dead" profile (their name is not a hyperlink, and is in black font instead of blue.)

This idiot has too much time on his hands. Like I said, I believe the problem is bad programming by Facebook, allowing the vulnerability. To make it worse, there is NO WAY to contact FB for any help. I did report it as a bug. I'm not holding my breath. Because it is not a phishing attack, and not an attack on a personal FB account (remember, it is a FB Group that is being attacked) - FB's "help" system has nowhere to even report it.

I mention all of this because I do not think the problem was solved, but I will allocate the points anyway - for trying.

Thanks to breadtan and Russell_Venable for trying!

Dennis
0
dtleahyAuthor Commented:
Russell, I forgot to mention, the threatening video is on YouTube, under a different account name. That's a different issue, and is being dealt with - in a different way by different people. (sorry to be vague) Thank you for the concern, and the advice.
-Dennis
0
Russell_VenableCommented:
Np, I don't recommend having a group on FB anyways. I would rather have one on a BBS that I control rather then have a large organization manage or not manage for that fact. Take it easy.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.