Uncovering the hackers, who stole your Facebook account

About 6-months ago I was sitting at my desk, working on my CS145 homework, when I heard a familiar ding, a new message on Facebook messenger. I glanced over to see it was a message from my sister. I paused my work, and read her text. She sent me a link with the message “Hey check out this video” accompanied by a preview of a YouTube video.

Example of phishing link.

I clicked on the link and it sent me to a page asking me to log into Facebook, to gain access to the video.

Notification at the top of the phishing page, asking you to “verify your account information to allow access to [the] video”.

I stopped myself, while I may have been impaired from the caffeine and lack of sleep, I knew a phishing attack when I saw one. I set aside my homework and called my sister.

My sister explained that her Facebook account had been hacked after she clicked on a link her friend sent here. I put the pieces together and realized she had clicked on a link like the one sent to me and had her account hacked because she didn’t know the page was fake and entered her login details. Once the criminals had her login details, they used her account to keep spreading their phishing campaign.

My sister was distraught, she couldn’t get back into her account because Facebook had locked her out. Facebook wanted her to verify it was her, but she couldn’t verify it was her account because she didn’t have access to the phone number linked with her account anymore. Since she couldn’t verify it was her, Facebook could not unlock her account, meaning she had lost the account to the ether. She had precious photos and sentimental texts from our deceased mother on the account, all of which were lost with the account. I was enraged, how dare someone do this to my sister.

Image of Liam Neeson playing Bryan Mills in the movie Taken, with the accompanying text “I will find you…”

A few months before this happened to my sister, I had started learning the basics of OSINT and had been working on the Tracelabs project. TraceLabs, for those not in the know, is a community of like-minded individuals working together to find missing people through a gamified investigation model.

Image of Tracelab’s homepage with the text “We crowdsource OSINT to help find missing people.”

This is relevant because my experience in this field made me confident I could find these criminals. And I was so enraged that someone could hack my sister, that I felt I needed to do something. I told my sister, I would find them and help her get her account back. I set aside my homework, opened up a new VMWare session with Kali Linux, and began the hunt.

I spent the next 6-months following leads, working with my investigative partner, Grégoire C, and putting everything I had learned to the test. Below is a flowchart of the entire investigation, with some information redacted, as it’s still actively being investigated by the authorities.

Click here for a full-size version of the flowchart.

Let’s go through each step of this investigation before we get to what we found.

First I mapped out the network of domains the criminals were receiving the stolen credentials on. I used a Urlscan pattern my partner had created for this purpose. We found more leads by scanning the servers with a URL fuzzer, to look for directories or files on the server. On one server we found an image containing references to some sort of utility and the alias of the developer who made it. We looked for the username of the developer using Sherlock and found an NPM account by him. We verified the project and the developer were connected to the phishing campaign by finding incriminating evidence on his Github and NPM profile. I started finding out everything we could on the developer using tools like Dehashed, Ghunt, Sherlock, etc.

While I was uncovering the identity of the developer, my partner looked into the utility mentioned in the image. He found a domain and the website matching the utilities name. The website had a login page, locking us out of whatever was on the domain. Greg decided to brute force the domain using passwords and email combos I had found while digging into the developer. He gained access to the website and worked out it was a panel used to manage phishing campaigns. It was a service, sold to other criminals, to make stealing accounts easier. The tool had 50 active users, and my partner was able to dump the usernames of these users, allowing me to use OSINT to uncover the identities of the criminals.

All-in-all we’ve uncovered the identities of 10 of the users of the tool and the person responsible for making this tool. All without alerting the criminals to our presence. I’ve sent the full investigation to the authorities, and it is now up to them to finish what I started and bring these criminals down.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store