How Facebook & Instagram accounts are hacked by Malware
Vložit
- čas přidán 14. 12. 2023
- Infostealer Malware is often used in false messages to hack your Facebook and Instagram accounts by stealing session tokens or passwords. This video shows the behind the scenes of an attacker collecting such information via a Telegram channel. Try Guardio : guard.io/pcsecurity (sponsor)
Research article for details: labs.guard.io/mrtonyscam-botn...
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact - Věda a technologie
Thank you for shedding light on this, I believe it's the same malware that's been propagating via Facebook's sponsored posts, or it could be a variant...
They can't hack your social media account if you don't use any 😋👌
🗿
What a nice trick, what can we expect from a user with the name Ben Joe 999 🗿
Then why are you using yt?
@@rahulmahato4177Android can be cloned easily and if you get the otp you can do anything 😉
@@rahulmahato4177 other use 4 authentication code
This is awesome and something not cover enough!!! Awesome video !
Your best video by far ❤
I will use you video as a reference great info
awesome video and informative. this was worth the sub. keep it up. greatest weak is us. wanting to make life simple yet trading off security. guys can get informed.
Could this be reverse engineered to make it send an infinite amount of mass garbage to the telegram channel? Either by editing the cookies with a whole bunch of excess data that would have to be received, or just targeting the telegram channel directly.
I would assume that if it kept getting bombarded with new information, they wouldn't ever have a chance to make use of any of the other credentials that they're getting from successful infections elsewhere, plus it would make the people selling the malware as a service look incompetent.
That's a nice idea, yet you'd need to invest enough time to make them credible otherwise it's not difficult to discern a pile of garbage from real looking data
@@REVOLUTIONS51I'd flood the channel with fake mass voice calls.
As you can see, this requires gross negligence by the user.
I saw a quote about accidents being negligence planned in advance.
Layer 8 error.
Thanks, Leo!
People are their own worst enemy when it comes to security. You don't need to install malware on a persons computer in order to take over their account. They inevitably end up giving out all the info that is needed to reset logins for their accounts.
How? Could you please enlighten on this?
Windows / browsers should have these files encrypted by default.
And how would you use it if it was encrypted?
@@tablettablete186 auto decrypt on use. a 10 letter word is just a few bytes, it would be instantaneous
cookies are hashed (passwords are not readable)
@@fartfulPasswords don't have to be readable. You just need the session trusted device files.
If the browser can decrypt it, then some malware likely can too.
It's either the person or the system,from the soviet hackers era till now
Uggg, the swoosh sound fx drive me crazy
it is ludicruous that the browser does not store credentials encrypted. how is that even possible ?
Tried that method around 6 months back (ofc in my own pc) it somehow does not works. For discord it worked around 1.5 years back on the app it self but for chrome it didn't work. Maybe time to check again now.
great video! can you share the malware ? thank you
How it works when bot send only link without any download etc. ? My close friend had random message from another friend who was hacked by just link in chat. After that my friend account started sending same messages with same link to al otherl friends. How it works and how they collect information by clicking on link from chat?
Thank you!!
Please do qubes os vs viruses 😊
So what about Malware execution on MacOS?
Can't I set up a controlled folder access to the location where the cookies are stored and only give the browser permissions to access it?
Could you manually rename your powershell and/or cmd to something only you know to help prevent random script execution?
make your own windows
Renaming critical system utilities like
Command Prompt (cmd.exe) or
PowerShell to obscure their presence is
a strategy that falls under the realm of
security by obscurity. This approach is
generally not considered effective in the
cybersecurity community for several
reasons.
Firstly, sophisticated attackers and
malware are typically equipped to
identify or locate these tools regardless
of their names. Malware, for instance,
can make direct system calls or search
common file paths and Windows
Registry entries to find executables with
the characteristics of cmd.exe or
PowerShell. Furthermore, sophisticated
malware often includes fallback
mechanisms and can execute
commands using alternative methods,
rendering the renaming strategy
ineffective.
Another critical consideration is the
impact on system stability and software
dependencies. System utilities like
cmd.exe and PowerShell are integral to
the Windows operating system, and
many internal processes and third-party
applications depend on these tools,
Renaming them can disrupt these
dependencies, leading to system
instability and software malfunctions.
From an administrative perspective,
renaming these tools can create
confusion and operational challenges.
System administrators and users
familiar with the Windows environment
expect these tools to be available under
their standard names for routine tasks
and system maintenance.
Regarding security practices, it is more
beneficial to focus on comprehensive
and proven measures. This includes
keeping the operating system and
software up-to-date to mitigate
vulnerabilities, using strong, unique
passwords along with two-factor
authentication, employing firewalls and
reputable antivirus software, and
practicing cautious online behavior
regarding downloads and email
attachments.
For PowerShellspecifically, Microsoft
provides a feature known as execution
policies. These policies can be
configured to enhance security by
restricting the execution of scripts,
allowing, for example, only scripts
signed by a trusted publisher.
Additionally, User Account Control
(UAC) in Windows provides an essential
layer of security. It helps prevent
unauthorized changes to the system,
which includes the execution of
potentially harmful scripts.
In summary, while the idea of renaming
cmd.exe or PowerShell might seem like
a straightforward way to deter
unauthorized use, it offers minimal
security benefits and can lead to
unintended system issues. It's more
advantageous to invest in robust
security practices and maintain proper
system configurations for effective
protection against threats.
Thiojoe made a video on how to prevent random powershell scripts from executing. The downside is that it may be a bit restrictive so hopefully you remember to undo them if you need to. I feel like trying to rename cmd exe either wouldn't work or would break a lot of things compared to powershell.
@@kunka592can you share the link of that video you talk about plz?
Even if you could, I don't think you should.
Many legitimate and perfectly harmless software use cmd and powershell so you'd be hijacking your own system.
So if you had some kind of AV on the system with pro-active detection, would it stop the script and protect those accounts? It's not like every user will know every single type of malware out there. Aren't those products literally designed to stop it for you?
Yes it would stop it before it could steal anything
The AV is designed to stop this, but the malware is designed to not be stopped by AV's.
You can't just count on the AV, you must still follow best practices.
@@johnsmith34I'm using Windows defender, is that enough?
@@MsSoldadoRaso no use Kaspersky or Bitdefender
@@MsSoldadoRaso Go with free version of Kaspersky
thank you
Thats all it takes dam. I didn't know this.
What happens if a user opens it with an iPhone or android phone?
Genial video.
Does this work on phones too? (Education purposes only) i get the links all the time
Wondering if you NEED to click on such ridiculous links in order for any hacks to happen? I have seen multiple people losing their FB account because a bot was able to access their account (even with 2FA set up, I know, it doesn't mean much) and change the password. I am assuming the pw may have been very easy to crack in the first place? They claim they didn’t click on any suspicious link. So did they? Or they didn’t and it’s still very easy to hack into anyone s account? What are your thoughts?
@AmericanKetchup. he mentions how it’s done AFTER you click on the link. My question is around not clicking on any link and still being hacked. How do they do it?
@@Puda They probably clicked something shady. Either they are lying to save face or they have no idea what a shady link is. The other likely explanation is they re-use passwords from other sites that have been compromised and the bot just tried the same credentials on other popular sites. Of course there may be zero days which may exploit some app without the user doing anything particularly wrong, but that seems very unlikely.
Hacking into a service like Facebook,
which has robust security measures
including two-factor authentication, and
without using phishing or social
engineering, is a highly challenging
endeavor. Theoretical methods include
exploiting rare software vulnerabilities
within Facebook's system.
SIM swapping,
though it involves some level of
interaction with the mobile carrier, can
allow attackers to intercept SMS-based
2FA codes and pass.
Threats (APTs) represent sophisticated
sustained cyberattacks aimed at high-
value targets, rather than general users
For average users, the likelihood of such
attacks is low due to Facebook's vigilant
security protocols, but it's higher for
high-profile targets. So its almost impossible to be hacked with out clicking or doing anything.
@@kunka592 I am not sure how you can bypass 2FA though? I know it’s supposed to be easy but no idea how it actually works. I agree with everything else. I could never actually figure out if they DID click but tried to save face or had no idea it was a bogus link.
@@PudaI'd say they're probably lying to not look that silly, there's no way a malware can be activated just by looking at a fb add or scrolling past one, you have to actively interact with links or files to get compromised
I know the best line of defence is not to click in the first place, but if I did, would my antivirus stop this?
5:11 The account on the left is named "Giselle", I wonder if That's a reference to Better Call Saul lol
Will this infostealer also work if you have master password set in browser? And is it dependent on its state - locked/unlocked?
the master password can be easily obtained .... they are present in a file in the usersdata folder of the browsers....
@@akalabayapal9634 really? I guess only hash is stored
How do these stealers work in chrome? As chrome has a strict security of viewing saved passwords inside it?
Fun fact, all your passwords for chrome when saved are on your PC under C:\Users\$username\AppData\Local\Google\Chrome\User Data\Default\Login Data. These can be stolen with a stealer.
Can such attacks accure on chrome os ?
Amazing
Why a supposedly secure operating system would allow the remote execution of scripts or system32 system files is incomprehensible. I understand windows 11 pro will allow you to set polices that ban unsigned scripts from the internet , but these are pretty easy to bypass. Of course, windows update must run scripts and executables, but why this is not only turned on when necessary, and the default setting is off, is just silly.
You can disable all PowerShell scripts, but the system still allows single commands, and does not care if they are local or from the internet, which is pretty moronic if you ask me.
Encrypting the drive, especially important folders in sys32, home etc should help, provided you hold passphrases or recovery keys off-line [like on a USB drive].
Question. These credentials are being pulled from where? If it's the password manager within the browser, how do they get access to those when most are locked behind your windows credentials. Wouldn't the attacker only have access to the hashed password?
This particular malware is taking login cookies (among other things) and no the passwords stored in your browser are not encrypted. They are stored in a plaintext file on your system.
@@sylussquared9724 Incorrect. Passwords and cookies from your browser are encrypted in a database, but the key is trivial to obtain as it is simply base64 encoded.
@@sylussquared9724why passwords not be encrypted 😮
Where to get the software?
Does these hacks works on phones?
Would the malware script work if it tries to execute on a users account that is logged in as non-admin ?
This would likely not require admin, as it's designed to get information, send it off, potentially add itself to startup (to redo it every windows login happens) and quit itself.
@@SmilerRyanYT ok. thank you.
Questions if you have chrome os are attacks like this are impossible. As hate running viruses scans.
@@noobnoob5072 assuming chrome os (without linux) the most realistic damage is downloading fake extensions that collect your data. Just don't install any and you're fine.
malware as a service... wow
But cookies dont actually have passwords stored in them
How can they access my data cause I don't use python in my machine
Use 2FA to stop further damage
That's not fool proof. From what I've read, a MITM attack can bypass 2FA
Use Password manager, don't store passwords in browser.
2FA won't help if the "remember me" cookie token is stolen. It only helps if just the credentials are stolen.
That's how Linus Tech Tips got hacked. They had 2FA enabled but had their cookies stolen rather than their credentials.
@@xszl that's why you backup your TOTP credential vault to some place that is not your phone, with Aegis you can very easily do this.
rather revoke permission to execute script from Download folder
What good does cookies serve to end users like us? Sorry, am not so tech-savvy
Not having to login every single time.
I'm assuming this would not effect someone on a MacOS or Linux machine, correct?
All the malware is doing is stealing some files and uploading them, so yes it would affect someone on a MacOS or linux machine
why would you even feel the slightest urge to ask if you can run a batch file there
It wouldn't be a batch file if it was targeting linux or macos. But the underlying technique it uses would still work
That would be in the form of a (dot)sh file @@sylussquared9724
Wrong, except if you isolore the malware within a container or with a MAC framework (SElinux, AppArmor). -Linux
On MacOS, you could run as a different user or an AV that isolate file (needs to use Apples's security framework)
Thats crazyy, I wonder how I got hacked. I gotta stop downloading shi off the internet.
doesn't 2 step verification prevent them from logging in?
No, what the malware is doing is stealing a file that tells the website you have already logged in. This bypasses all 2FA.
@@sylussquared9724 it's kinda weird because aren't login detection based on ip adress?, the file he showed was only a text with password and username, unless they can mask ip to match victim's
@@sylussquared9724 and MFA?, its the same thing?
Bro my Facebook one time got hacked for like 3 or 4 years and my mom told me about the stuff I was sending messages to and I was like who hacked my Facebook out of anyone's like at least hack someone who uses it lol
Please make a video on how to secure my PC for free.
Why the browser data is not encrypted!.
@Joao_M it can be encrypted to be read only by the browser itself but if you extract the data you won't get any useful data
@@wazd4661The malware could just steal the encryption key from the browser.
I thought the passwords inside the computer were encrypted. Is there any way to encrypt them in case you fall victim to this? I believe apple has an encryption on the passwords and you have to enter the computer password to unencrypt it
What the malware did is steal a file that your browser gives to the site to tell it that you have already logged into your account on this browser (a cookie). Its not stealing your passwords. Best way to protect against it is use common sense or just change your browsers settings to not save cookies and just log in every time.
not with a auth token
@@sylussquared9724you could also run the browser or the malware as a different user.
So basically, if you don’t click any links, they can’t get you?
yes
It will not work if the victim use thier mobile for Instagram or messenger. How can we know what OS did the victim using?
Hey same here this didn’t actually work for me either don’t waste your time here got help from a pro who recovered my account
Tuskhacking
On instagram
They’ll help you tbh ensure you’re texting their main page with a cap emoji on his page name pls don’t text any other page you see
Dude is safe and 100% guaranteed to help you with all kinds of social issues
They can hacked your Facebook even if you don't have an account on Facebook 😊😂😊
👍
How can i remove trojan redlinestealer?
what about Guardio ? maybe it is malware Dor info stealer
Is this really true? Is this really this easy?
wow
i myself got hacked like this once
Do you need help in getting access back into your account because you find it difficult doing it by yourself through tutorials in this video??
I can recommend who can help you recover your account back without having any issues, I also tried this steps earlier to get my hacked account back but video steps failed to work, *byte_analyze* was able to helped me recover my account.
On instagram
Hmmmm
how does the password extraction work? where does it get the pw from?
If you click "remember my password" it gets stored on your local drive.
@@andrzejandrzejski229 yes but it is encrypted. how did they decrypt it?
Are you ready to get this situation solved right away ?? I have an expert for it..😅
*Tischler Tech* is the man for it. Trust me, he will simply get it fixed and you will be back into your account, having full access...✅
ayo thats vietnamese
lmao yeah caught me off-guard a bit ngl
:3 A very clever Vietnamese credentials dump. It bypasses AV as an innocent ZIP file, and executes line by line. It retrieves data that it needs to run, and then runs, downloads all your passwords, and cookies, then logs the user out of everything, and then sends the details to Discord or Telegram. Then they sell that data. Send this to North Korea, Iran, etc. Hahahaha.
Sir, can it steal information saved in Bitwarden addon in chrome?
No, Bitwarden data is always encrypted at rest so it should be fine.
Article link?
labs.guard.io/mrtonyscam-botnet-of-facebook-users-launch-high-intent-messenger-phishing-attack-on-business-3182cfb12f4d
It's now in the description.
Can such attacks happen on chrome os and andriod ?
if the user has enabled 2FA on their accounts even if the attacker has access to the victims username and passwords they won't gain control over those accounts easily the user will get notified of malpractices
If you watch the video this channel about Linus tech tips he shows this is not true. By copying the cache or cookies or whatever it was the same process as the 'remember me' / autosign in button can be stolen and you don't even need user credentiatls and 2FA can be bypassed!
They can if they get your auth token, with that they can send request to the server and change everything they want
WARNING APP WORLDWIDE
can i fix it
@@barkatali710 finaĺly i took back my insta account
cute... so... MaaS.... :/
So this steals passwords saved in browsers yes? What about 3rd party password manager browser extensions like bitwarden and protonpass?
No. Tokens. No password manager will save you.
Kinda confused here 2:06 why is it plain text? Lol
They're the passwords stored in a browser when you tell the browser to remember the password. Even if they're encrypted, the browser needs to be able to decrypt the to insert the username and password into the login form, and so the malware can access the password too.
Always use something like Bitwarden or 1Password to store passwords. Never use the browser's built-in functionality for it.
good vid
I have dozens of accounts and passwords saved and stored in my cookies ready to steal. None of them are my main accounts lol. Have fun hackers.
It doesn't steal the password. If you're logged into an account, even if it's not saved, it's stealable.
And this tool is created by Vietnamese
How to protect my accounts ( Facebook , Instagram, Google) from Malwarebytes?
This guy helped me get mine back. I never believed this could be possible but thanks a lot to him.. Nckmythss1 dedication and might in doing this looks unreal but it works..
On Instagram
How do you fix it?!
Hey same here this didn’t actually work for me either don’t waste your time here got help from a pro who recovered my account
Tuskhacking
On instagram
They’ll help you tbh ensure you’re texting their main page with a cap emoji on his page name pls don’t text any other page you see
Dude is safe and 100% guaranteed to help you with all kinds of social issues
Chỉ có thể là malware của mấy anh VN
the fact that its invoking Telegram to send those messages, makes me wonder about something I've been experiencing.
every once in a while, my Google Drive application is launched. my application config is outdated, so nothing happens as far as i know, but the fact that it keeps launching itself without it being a windows start up event, nor by me.
could this be an indication of something similar being attempted?
how could i check?
You could check %appdata%\Microsoft\Windows\Start Menu\Programs\Startup for the program
But it seems a little weird that it is not happening everytime you launch the pc.
Could be a background updater for the Drive desktop application if that's what you have installed. Or just a process that streams files to your PC from the cloud when your system accesses them (GoogleDriveFS.exe for example). When it runs you can check the process in Task Manager and note the name of the exe file. Google the name of the exe file to get a quick answer as to what it does and if it's safe. Online info should also be able to tell you where the file should be launching from - you can right click the exe in Task Manager and open the file location to double check this. If the name is weird or the folder is not what it should be, you might have an issue. Probably OK though
this happens to me too. I have no idea why. If its happening with you too then i assume that its just a bug?
What if there is no saved account in the browser; will they still access the account?
It's not a password stealer it's a token stealer. If you're logged in, it's stealable.
are there other ways you could get hacked? like they don't even have to use malware....is there something called remote net hacking?
There are many others ways you can get hacked, malware is indeed just one of them. However thankfully that's not something most home users need to worry about as long as you keep your software up to date and don't fall for phishing or scams :)
Phishing is the most common way. Malware on the user's device would be second. By far the hardest and least common way is for the website itself to either get hacked or have something like an XSS vulnerability where just clicking a link could get you hacked.
thank you friend @@sylussquared9724
@@davidt01tbh phishing is more vicious. If you're not too naive, you won't open a .bat or .ps1 as a .jpg or pdf. However some phishing links are really well done. Especially using mails etc
Nice hat, Costanza
how to recover?
Are you ready to get this situation solved right away ???…. I have an expert for it..😅
I was also in similar situation but the same expert helped me out… He is *Tischler tech*
This guy helped me get mine back. I never believed this could be possible but thanks a lot to him.. *Tischler tech* dedication and might in doing this looks unreal but it works🎉..
*Tischler tech* is a cyber security expert. Only him can look into this situation and get it back.
Certified *Tischler tech* cyber security expert is the best 😊
So you click a link which fb removes except to known sites, download a file and user has to find it and open it then open the file inside? Uh avg user be like click link and move on lolol. Also edge will ask you if you know the file and keep it or delete. If I’m clicking a link for a site why would I dl a file to keep? Odd. I’ve been testing this for huge bus and seen what I stated every time.
Guess before watching the video: steals cookie
Super easy grabs. Haha
But how do they find you
Hi there I had same issue but Vinethics help me.
On Instagram.
I was also in similar situation but the same expert helped me out… He is *Tischler tech*
This guy helped me get mine back. I never believed this could be possible but thanks a lot to him.. *Tischler tech* dedication and might in doing this looks unreal but it works🎉..
Certified *Tischler tech* cyber security expert is the best 😊
Bro my account recover please
Are you ready to get this situation solved right away ?? I have an expert for it..😅
*Tischler tech* is the man for it. Trust me, he will simply get it fixed and you will be back into your account, having full access..
I will always procrastinate and shout out louder for this legend who has been constantly doing good job for people, saying thank you isn’t enough for the kinds of humanity you showed to me after all my attempt try to get my account fixed and it doesn’t work but you helped me out *tischler tech*
The way you handled my request showed resilience, experience, knowledge, and critical thinking *Tischler Tech* . I would love to get your perspective any time I come around…
I also encounter similar situation but was quickly able to find solution to through many referrals and recommendations on here.. Thanks for recovering
Wht about who dosnt install python hahah
guardio is sh1t... why does it need to manage my other extensions? my other extension is a password manager
no
Android
*Tischler Tech* is the man for it. Trust me, he will simply get it fixed and you will be back into your account, having full access...✅
@@vivianaoliver9045 fuck are you talking about
Third?
Microsoft is to blame for this terrible security flaw
Buy a new Apple Silicon Mac or switch to Linux to avoid common hacks
Mac and Linux are just as vulnerable (except if you use some security settings that Win also has)
Its a common misconception that linux and MacOS are more secure. They can be made many times more secure than windows, but that takes work.
@@sylussquared9724 It would be a lot more difficult to use this same technique on macos or linux because of their resistance to giving execute permissions without explicitly giving them
ppl always tell me like that password is so easy no hacker would think of such an easy password.... xD
and that is why it is normally one of the first 10 checked
These are the most stupid hacking attempts I've ever seen, honestly. Show something real or stop posting crap that even grandma doesn't fall for.
I wish I could say you were right, but people do fall for them
A high number of people come to a tech support server im on asking for help getting their accounts back because they fell for garbage like this
What if there is no saved account in the browser; will they still access the account?
If you are signed into the account or were signed in and just didn't log out (or clear cookies) then this malware would work