Hacked Facebook and picture being held ransom cybercrime
Intent and motive are two important parts of solving any crime, the same goes for cyber-crime.
This is a real case we had with the names anonymized for privacy purposes. Someone woke up Saturday morning to two rude surprises. We dealt with a compromised Facebook while also dealing with ransom of a picture from a compromised email address.
Many experts say pay the ransom, but the ransom had already been paid two weeks ago. This was before they reached out to us.
This has two moving parts, a hacked facebook and a ransom of a personal porn picture that no one wanted released. We are going to cover how we dealt with the hacked Facebook first.
How to identify who hacked your Facebook
Make sure all tabs are closed and no applications are running in the background on your desktop. This is so you can see what IP addresses are inbound with as much accuracy as possible.
- open up Facebook messenger
- Open up command prompt on Windows and when the person is writing, where you see those bubbles type
netstat -anand hit enter. This will show all outbound and inbound IP addresses, 192.168 is an internal IP for every computer, as is 127.0.0.1. Ignore those addresses as those are from your machine.
- Analyze the inbound IP addresses, then use an IP reverse lookup to google maps. This is helpful if the attacker forgets to mask their identity with say, a VPN or Tor.
- Check lists of known VPNS and tor relays. This isn’t full proof, but it is helpful, as you will see in a minute.
The compromised Facebook was asking everyone for $500 in BTC or an ebay gift card. They were also portraying themselves as an old lost friend by changing the accounts name. Playing along got us enough of the same IP addresses repeatedly, which is what was needed. When we brought up the town they were in and how it was was they replied “Good”. When they were told there was plenty of evidence against them they deleted the facebook, or so they thought.
The head of Facebook Security is involved and they should restore the account.
Porn Ransom and how to combat it
The second problem, the porn ransom of the picture is where we are now. This took time to solve and when you have a ransom you’re short on time. The demand of money for the ransom continued.
I finally decided to stop focusing on the ransom and the pornography and treat the criminal like a human. What was the motivation behind the crime, why did they need this money? Once asked, they claimed they needed it for something in their house. This was a major breakthrough, because my reply was simple. I offered to teach them how to make that money legally with some apps, if you delete the picture permanently. They agreed to the terms, and I showed them how to make $500 really quickly online.
The picture was allegedly permanently deleted, but with criminals, well take everything with a grain of salt.
Regaining control of a hacked email and securing it after a hack
We regained control of the compromised email, so unless they downloaded the contacts, they had nowhere to post it, since the socials were also tightened down.
Moral of these two cases is pretty straightforward, everyone wants something. In these cases, isolate the two most important things the what they want and why they want it. I was then able to show them a legal way to obtain it.
The hacked Facebook case doesn’t appear to be related, as the tone of the writing, the words chosen, and timestamps of the messages are radically different between the two people. What we were told for free is that the image is somewhere on the deep web with the contact info, so this issue may persist. Time will tell.
We take pride in pro-actively and re-actively fighting threats, which in simple terms means we do both defense and offense security. If you need help, just contact us.