What is Red Teaming in Cybersecurity? Red Teaming is a...
NOTE: If you believe your social media account (Facebook, Twitter, LinkedIn, etc) has been “hacked”, skip the intro and scroll down to the “Response Actions” section.
A few days ago, I was at an amusement park waiting in line to board a roller coaster when I received the following from an old mentor via Facebook Messenger:
Investigating the highly suspicious link (safely), I was presented with a malicious page that was disguised to look like a legitimate Facebook login page. An attacker had compromised his Facebook account, and was using the Messenger app to attempt to harvest the credentials of all his friends. I immediately reached out to him via a different medium (e.g., NOT via Messenger) to make him aware of the compromise. I thought that was the end of my involvement, but then he responded with:
“Wow. What should I do?”
This at first surprised me. My old friend and mentor doesn’t work in the information security field, but he is very wise. However, upon reflection, I realized that very few of us have probably thought through what we would do in the first few moments after learning that we no longer controlled one of our social media accounts. This is unfortunate, because time is of the essence. The longer you take to respond to the situation, the more damage the attacker can do to you, your friends and your family. I became aware of the compromise because the attacker was using my friend’s account to attempt to steal my credentials – and I wasn’t the only one being targeted. Immediate action is necessary to stop – or at least minimize – the damage.
I have tailored this post to a “hack” on a Facebook account, but the necessary steps are largely the same writ large. And while nothing in this post is “rocket science,” and I may be made fun of for writing about such a common occurrence, I hope it will at least serve three purposes:
1) Provide an opportunity to “tabletop” what your immediate actions should be if your social media account is compromised, thereby improving your reaction time should an actual incident occur
2) Provide a reference that you can provide to others should you become aware of an attack on their account. Banging out instructions on a phone while under the clattering of a roller coaster was less than ideal. I wished I had a link in my hip-pocket to a quick guide that I could share – and this is my attempt at providing that for myself and others.
Attempt to login to the compromised account. If successful, immediately change your password to a new unique, long and complex password.
If you cannot login, the attacker may have changed your password. Attempt to recover your password by using the “lost/forgot password” function from the login screen. If successful, you will receive an email or text message with a link allowing you to change your password.
However, the attacker may have already changed your recovery email address. If this is the case, take a deep breath! All is not lost!
If an attacker changes your Facebook email address, Facebook will send an email to the prior address with a link allowing you to restore the prior address to the primary email account. Use this link, then use the password recovery tool to get an email allowing you to change your password.
LinkedIn, Twitter and other social media sites have similar procedures – just search for “report a hacked account” along with the name of the service. Losing control of an account is common – there are resources to help!
You need to quickly determine what the attacker has done with your account. Almost certainly, they have used the Messenger feature or other functions to send malicious content to your friends. You have a responsibility to try to protect them. The cleanup may not be quick or easy, but you owe it to those you care for. Facebook has processes to help, but speed is the name of the game here – take matters into your own hands with the steps below whether or not you choose to report the hack to Facebook.
Inside Facebook, open the Messenger tab. You will see all of your recent communications. Examine each communication and look for any messenger that the attacker sent on your behalf.
If you find a message that you did not send, first note whether the message was sent to just one friend or as a group chat. If you hover your cursor over the recipient(s) at the top, any members of a group chat will be revealed. Before you go any further, make a list of all those who are on any malicious individual or group chat sessions – you will want this information later.
Next, click on the three dots next to the message (“•••”). A pop-up will appear with the option to “Remove.” A dialogue box will appear with two options. Choose “Remove for Everyone.” NOTE: This option is a bit deceiving, as it will not remove all instances of the message if they were sent individually – it removes the message to all recipients of that chat session. If the attacker sent only one message as a group chat, your life is easy. If not, you must address each message you sent.
Next, check your own status page. Remove any posts that you did not author.
It is possible that the attacker may have posted on your friend’s timelines. So next click on the down arrow icon that is located on the far right of the blue menu bar at the top of your screen. Select “Settings.” On the screen that appears, click on the “Your Facebook Information” section located on the left pane. A new pane will appear on the right. Choose “Activity Log.” You will now see a chronological listing of all the posts you have made to other people’s timelines. For each entry that is malicious, click on the pencil icon and choose “Delete.”
Finally, take that list of people that received a malicious Messenger message. This may be the most time-consuming part of your recovery: You need to contact those people in whatever manner you can and get an acknowledgement that they understand that your account was “hacked.” Why? Because you don’t know whether they fell for the scam before you took action to remove the malicious messages. They may not know that they have lost control of their credentials. Here is a sample of what you should tell them:
“On Monday afternoon, my Facebook account was used by a cyber criminal to send a scam message. If you clicked on this message and entered any information, you should consider that information in the hands of the attacker. If you entered your username and password for any site, your account for that site may be compromised.” You might also include a link to this article!
My friend was able to stop the attacker during the initial stages – using the compromised account to try to get others to also provide their credentials. That’s good news, because the next stages can be much, much worse. The attacker may impersonate you in communications with your friends or family, and use your relationship to trick them out of money. They will most likely target those that appear the most vulnerable – grandparents, teens or those that otherwise appear more likely to fall victim. That’s when things get very, very ugly – and it happens every day. Whether you have been hacked or not, please take a few moments to think about how you respond when you receive a suspicious message, and take steps to ensure that you are using a long, strong and unique password for each site. Facebook may be a nice place to stay in touch with friends, but the possibilities for serious harm in the hands of a cunning attacker are endless. Feel free to save this post and keep it handy – you never know where you will be when someone you love needs quick help.
What is Red Teaming in Cybersecurity? Red Teaming is a...
The NIST Privacy Framework: Defined and Outlined Linkedin Twitter Youtube...
A Stolen Data Auction, Microsoft Office, and Facebook’s Acquisition: May...
The Cybersecurity Maturity Model Certification (CMMC) Part 1: Why Do...