Taking over Facebook accounts by passive OSINT?
by Snooptz
Afew years ago, while rolling in the OSINT & cybersecurity universe, I stumbled upon several articles on reused passwords & how easy it was to take over other accounts with the same passwords; why not test it? This “Trick” is perfect for hackers & alike but with big cons for users.
REMINDER!!!
This is only a personal story of an individual who daily plays with his family members, who are each AWARE of “his tests “& thus, “kind” of Agreeing with it & even if a tiny proved from it, satisfied with their learnings & FULLY AWARE to be under pen-testing be me.
Furthermore, the entire content is only for Educational Purposes, & any abuse or misuse may result in legal action “ NOT THE AUTHOR!”
Remember, You are the solely responsible for your actions or misuse of information. Indeed, hacking others without their consent is “ ILLEGAL “ & can have very bitter consequences!
OSINT, which stands for Open Source Intelligence, is the practice of collecting information from publicly available sources on the internet, with or without specific tools or software. If you want to know more, check out my previous stories.
This technique will only work with people who still believe that no one will ever hack them; in fact, now all my family members firmly believe the contrary & after that, they have stronger passwords; thus, never use the same password for two different websites hence almost none of them open my emails or attachments…..In later stories, I will tell you why…
Back then, I was looking for a victim & who’s the best of a family member, the same who believes you have learnt nothing about IT. Then, just a little after I found the one… The email address was easy to find but I just needed an excuse for them to give it to me just to make sure I was on the right target. At that time, I used to practice Phishing with Git-Hub tools, with Kali Linux & I sent them this to show them how easy it is to replicate Phishing pages. I told them not to put their actual password but a fake one & if they wanted, they could have used their actual email anyway, only I would have seen the results…
They perfectly followed my advice & yes, they did not give me their password, but yes, their email; in the end, only “ I ” will see the results. Shortly after, I went on “IntelX “, a lovely website for leaks & breach info. I added the email & in a few seconds, I saw that there were already some issues with other accounts with the same email, just what I was looking for.
Unluckily, IntelX offers a view only as a paid service & still; I wanted to hold it free. After a bit of digging, I stumbled upon Lampyre.io. A few years ago, it allowed a few free searches for each new email address & I was with it. Now, it charges affordable fees. Back then, it finally helped me find the password I sought.
Another important legal bits may be handy to many. When we are searching for info we better stick to our target & not uncovering other people data, as it can be an hot legal manner.
Always document yourself & be VERY AWARE of the legal consequences you can incur handling other people or business data.
They would not have changed & they did not know that their “one password for-all accounts” technique could not work anymore. Besides, they didn’t believe I could have found it all out & this was perfect for me as time was on my side. Just after, I headed on Facebook with a VPN set on their location ( In case I did not know it, I would have browsed their accounts to grasp it; they or their friend usually tagged city pics ) & I quickly logged in without any issues. Another factor to consider is that Facebook logins were accessible years earlier but might have been hardened lately. Once inside, I waited calmly a while in silence. Then, I changed the number, email & password, logging them out without any chance for them to log back in quickly.
It was fun for me, a little less for them.
I started messaging family members pretending to be them, pranking them as a proper hacker or scammer could try to do in a real-life scenario. A while after, I blow up my cover & show the whole tail, helping them understand & not underestimate the power & the danger of online activities & social engineering.
This technique would have worked easily years ago. However, as Facebook is not the only website & some people still believe they are unhackable, there are still some chances for similar techniques but may with different shadows.
2 Words about IntelX, Lampyre & Zphisher
Bookmark both websites ( IntelX & Lampyre ), as they might be handy to gather information about telephone numbers, email addresses & more hence used by professionals. Both companies have been in the market for a while & even if with diverse scopes & visions, they can be perfect when you hunt for info online. Yes, some of their services come with a price, but they are well invested & towards trusted sources, even if one mysterious owner.
- About Zphisher I personally love it a CLI tool perfect for PhishingAttacks. It works perfectly on Kali, Termux & Google Cloud but I am sure you’ll be able to run it on Docker, AWS or Google Cloud Shell to speed & ease performances. It can use LocalXpose, Ngrok & Cloudflared, the last the most versatile thus my favourite.
Ref:
- https://lampyre.io/ > if u want a Referral use > 2332a250-edd5–4ba8–801f-08c08c71ab31
Asyou can learn from this tale, how easy it is to be locked out of your account & unable to regain it. Indeed, even if there is always a way in, better care then repair….Also, to perform this technique, you must be smooth in Kali-Linux or any other “ better if ” Linux CLI. 2 Things initially scary…also, you can perform a fast, similar one on cloud providers from Google, AWS or alike that usually solve network issues & security but may easily drop traces — each with its Pros and cons. Besides, I’m on another Facebook Account Recovery Project & once done, you will see the results in one of the following stories.
Meanwhile & possibly, try to remember the following:
NEVER THE SAME PASSWORD FOR DIFFERENT WEBSITES!
Never use the same password for different websites!
PEIDIWCH BYTH â’r UN CYFRinair AR GYFER GWEFANNAU GWAHANOL!
¡NUNCA LA MISMA CONTRASEÑA PARA DISTINTOS SITIOS WEB!
JI BO MALPERÊN CUDA TUQET HEMAN HIŞFERÊ YE!
PA JANM MENM MODAS POU DIFEREN SIT WEB!
ไม่มีรหัสผ่านเดียวกันสำหรับเว็บไซต์ที่แตกต่างกัน!
다른 웹사이트에 동일한 비밀번호를 사용하지 마세요!
切勿在不同網站使用相同的密碼
Hope this help
Credits & Thanks to Google Translate @ >>>> https://translate.google.com
At least some should understand!
;)
Internet, Social Media, Shopping platforms or search engines, in one way or another, hold us online & as in the physical world; thus, virtual conceals it’s good & bad; either way, it is better, safer than sorry.
Once again, I’d love to remember that taking over accounts without owner permission is ILLEGAL & the misuser of that action can be persecuted by law. This story is only for educational purposes.
I hope you all enjoyed it; thanks for your time & stay tuned for more!
If you are curious about OSINT, see OOSINT @ >>>>>>>
🌪️ — Surf Safe & Stay Shield! — 🏄
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Want a Pdf of it? >>>>>>
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Was a good post?!?
If yes, ⤵️
>>>>>>>>> Buy me @ Coffee! 🎁
Think I did good?
If yes ️?
Buy me a coffee — donate.stripe.com
☕https://www.buymeacoffee.com/snoopghost
If not, ⤵️
--- Tell me why! :);)Happy to get + understand ;)--- Thanks !⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡⚡
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
>>>>>> Hunting 4 partners & collaborations get in touch 4 info <<<<<<<<<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Comments
Post a Comment