How Anonymous Could Attack Facebook - If It Really Wants To
Aug 10, 2011 12:04 PM PT
Could Facebook be the next target in hacker group Anonymous' crosshairs?
A tweet from the Twitter handle "OP_Facebook" -- which is labeled "Anonymous" yet had only a single tweet in its history as of mid-day Wednesday -- urged readers to go to a Pirate Bay Web page or watch a YouTube video in which a threat is made to attack Facebook on Nov. 5.
It's perhaps worth noting that the tweet was originally posted nearly a month ago. News of the threat has only recently been widely circulated.
Whomever controls one of Anonymous' main public communication channels, however, doesn't seem to support the effort. The AnonOps Twitter feed later stated that the so-called OpFacebook plan to take down the social networking site is being organized by some Anons, that not all of Anonymous agrees with it, and that attacking the messenger is not Anonymous' style.
Schisms aside, just out of curiosity, how might a group of hackers such as Anonymous attack Facebook?
Attacks Against Facebook
Back in 2009, Facebook, along with other social media sites including Twitter and LiveJournal, were hit by massive distributed denial of service (DDoS) attacks.
Facebook reportedly said the target was a pro-Georgian blogger with the username "Cyxym."
However, Facebook services weren't too badly disrupted, and its engineers have publicly stated that a successful DDoS attack against their site would require a botnet so large that it might be traceable. The social networking site has other protections in place.
"One would imagine Facebook would have incredible redundancy and capacity to resist a denial of service attack," Chris Harget, senior product manager at ActivIdentity, told TechNewsWorld.
While a full assault on Facebook's front door may prove extremely difficult, there are other ways in which attackers could try to hurt the social network. Facebook is a favorite of cybercriminals whose attacks include setting up fake accounts or accounts with links to malicious sites, and spoofing or hijacking the accounts of legitimate users and sending out emails with either embedded malicious links or requests for financial help.
"I don't consider DDoS or spoofing an account a 'hack,'" Randy Abrams, an independent security consultant told TechNewsWorld.
Taking Down Facebook's Walls
There are three primary means of attack, Abrams said.
One consists of spear phishing and planting malicious code that gains access to victims' accounts or computers. This has worked against Google and other large organizations, and "I doubt that Facebook is immune," Abrams stated.
The second is exploiting a zero-day vulnerability.
The third is guessing a weak password. "We know from research into past data breaches that even some security experts don't use good passwords," Abrams said.
A good password, by the way, is one that has a combination of at least six to eight letters and numbers randomly mixed. A weak password would be something that's easily guessed, such as someone's date of birth or marriage or their car license plate number, for example.
Advance, Friend and Be Recognized
Passwords are likely to be the most critical weakness and the easiest way for someone to launch an attack on Facebook.
"Anonymous has managed to scoop up no small number of users' credentials during their forays," Cameron Camp, a researcher at ESET, told TechNewsWorld.
"Since it's common for people to use the same credentials on multiple sites, this becomes a potential attack vector, but not just for Facebook," Camp elaborated. Users should update their passwords regularly to minimize the possibility of hackers using these as an attack vector, Camp recommended.
Facebook spokesperson Gwendolyn Belomy declined comment on the purported threats from Anonymous.
What's a Hack, Anyhow?
If Anonymous were to attack Facebook, it may choose not to steal user information.
It's fairly common to use phishing or key logging to steal Facebook user credentials, but that's true of any site which uses static passwords, and it wouldn't let Anonymous make a "big noticeable splash" unless the group had been collecting user credentials for a long time, ActivIdentity's Harget said.
Instead, Anonymous would be more likely to disrupt the social networking site's operations or steal large amounts of data from the company itself, Harget opined.
However, like other security experts, Harget doubts the authenticity of the threat against Facebook.
"This claim seems suspect on the face of it," Harget said. "An equally plausible explanation is that some group figured out how to hack Facebook and so they are grasping for a justification to show off and make a big splash on a very popular site," he added.
"It's really hard to say if this is a broadly endorsed Anonymous plot or something from a particular subset of Anonymous members or even if it's valid at all," Azita Arvani of the Arvani Group told TechNewsWorld.