Press Panda Security

Analysis of a Facebook hack – How your identity could be stolen

With its millions of users, the world’s most popular social network has become a perfect target for hackers exploiting such a dense concentration of potential victims. PandaLabs, the anti-malware laboratory of Panda Security has received numerous reports from users whose Facebook profile has been hacked and whose identity has therefore been placed at risk.

Apart from phishing attacks or spam, which are now easily recognized by many Internet users, hackers are employing new methods, which for the moment at least, are proving to be successful. Here is an analysis of the technique which has been most frequently used over recent months:

Step 1: The bait

The bait normally comes from the profile of a friend whose account has already been hacked. Users typically receive a message (which appears to be genuine) suggesting the recipient clicks a link for one reason or another. In most cases, the message offers a “spectacular video” or claims “you appear in this clip”, and normally includes the user name of the recipient.


Step 2: Phishing attempt

Having attracted the attention of the user, cyber-crooks now need to get the user name and password of the intended victim to launch the second phase of the attack. The page that the link points to is a perfect replica of the Facebook login page, but is hosted on another Web address:

Step 3: Gaining complete access

Now the user has clicked the link and entered their login credentials, they have to grant the malicious application which is running the attack complete access to their personal information, as well as the rights to post information through their profile. This ensures that the attack can be spread further through friends and contacts of the victim.

After gaining the permission, the attack continues, targeting the victim’s contacts and starting the process all over again with new users, as illustrated in the example below:

What to do if your Facebook profile has been hacked

Step 1: Firstly, remove all permissions that have been given to the malicious application. This is a simple process: from Account > Application settings in the top-right corner of your Facebook profile. This ensures that the application will not continue to have access to your profile once the password is changed.

Step 2: Change the login password! To keep your identity safe, it is advisable to change your password and the user name (it’s a good idea to do this from time to time anyway). This is also easy: Go to Account > and Account Settings in the menu in the top left corner of your Facebook profile. It is also advisable to use strong passwords that cannot easily be guessed.

More information is available in the PandaLabs Blog.

You might also like

Your Facebook account for $100
PandaLabs uncovers an online Facebook password hacking service from a domain registered in Moscow According...
Panda Security and Facebook Join Forces to Help Users Protect Their Digital Lives
Facebook users will be able to download a free 6-month version of Panda Internet Security 2013 from...
77% of SMB employees using social networking during working hours
•    These are the results of the 1st Annual Risk Index Social Networks of SMBs a study conducted...
Panda Security and Facebook Expand Collaboration to Protect Users Against Malware
Panda Security, The Cloud Security Company, has announced that its collaboration agreement with Facebook...


    September 20, 2010 at 4:45 pm Permalink



    You are in reality a good webmaster. The website loading pace is amazing. It sort of feels that you are doing any unique trick. In addition, The contents are masterwork. you’ve done a magnificent process on this topic!

    January 27, 2012 at 6:42 pm Permalink

    Hi there, just changed into alert to your weblog through Google, and located that it is truly informative. I am gonna watch out for brussels. I’ll be grateful for those who continue this in future. Lots of other people will be benefited out of your writing. Cheers!

Leave a Reply

(will not be published) (required)