Four months ago, I unmasked a Facebook “hacking” service called FBSniffing and how it really doesn’t really “hack” but instead sign in users to a mobile service they never asked for.

In this post, I’ll be talking about two more sites claiming to offer hacking services that target Facebook users. The sites are:

  • fbwand(dot)com
  • hackfbaccountlive(dot)com

fbwand(dot)com

fbwand dot com
click to enlarge

fbwand is a website created within the first four months of 2014. It claims to be a tool that can get into Facebook in three easy steps.

FBWand uses the latest security holes in Facebook, so you can get into your cheating husbands [sic], annoying bosses [sic] or any other persons [sic] Facebook profile and read messages, upload pictures or do anything you like. FBWand is super easy to use. Password isn't changed in the cracking process so the user in question won't notice anything. Also the method we use is undetectable by Facebook and probably won't be patched anytime [sic] soon.
To gain access to your victims [sic] E-Mail and Password, you will be required to get an authorization code from us through referring friends to FBWand.

The default page is sectioned in three parts: the top contains an interface where users can enter the Facebook nickname of the individual the attacker wants to infiltrate, the middle contains a list of the supposed hacking tool’s key features with user testimonials, and the bottom contains an FAQ section, which mentions activation codes, “20 seconds”—the claimed length of time the site can crack into a Facebook account—and the rule forbidding attackers to provide made-up information when filling in survey questions.

On its ToS though, we can see it suddenly doubling back, claiming that the domain at present is just a tool that simulates Facebook account cracking.

FBWand ToSclick to enlarge

Fortunately, fbwand is no longer online at this time of writing.

hackfbaccountlive(dot)com

The hackfbaccountlive default websiteclick to enlarge

We are currently the #1 site in the Internet to provide this service for free and at amazing speeds and success rate. Don't 
believe us? See how many like and share we have on Facebook and other social media and we are ranked #1 on google.
You may wonder why people hack Facebook accounts? [sic] The answer is simple. There are various reason as to why one would want to hack another persons [sic] Facebook account. Parents might want to see what their kids are doing online to monitor them. A boyfriend or girlfriend might want to see what their counterpart is doing behind their back. A husband would want to check if his wife is faithful or vice versa. Today in the world of Internet social media has become one of the most trending thing for people of every age. Many people share their deepest and darkest secrets, interests, hobbies, likes and dislikes with their friends. And this is the reason why people want access to others [sic] account to know everything about them.
We provide you with the best Facebook hacker available in the internet for absolutely free. Now you can hack Facebook password of just anyone you want. No more wasting time downloading Facebook password hacker or any other Facebook password cracker tools available in the internet. Most of these tools are fake and contain virus. This is why we offer you this 100% safe service to hack anyone on Facebook right from website hacking panel. No plugin or absolutely no download 
required. Get started now!

If you think that all these sound over-the-top, they probably are.

This domain was created within the same time frame as fbwand. Clicking the “Click here to start hacking” button leads to a page where users can supposedly enter the Facebook profile link of the account they want hacked. From here, one can also have ready access to a “Members Panel” section, where whoever is registered can enter his/her user name and corresponding password to access results from the supposed hack. More on this in a few.

This slideshow requires JavaScript.

One starts off by entering the profile URL of the Facebook user account (the target) he/she wants to hack. The site then makes him/her believe that an actual hacking is ongoing, firstly, by retrieving and displaying specific information from Facebook’s Graph Search, such as user ID, user name, and a large version of the profile photo, to the page; and, secondly, by providing the attacker the progress of completion of each hacking attempt. Below are screenshots of these attempts, beginning with purportedly fetching the target’s email ID:

This slideshow requires JavaScript.

After a successful “hack”, the site informs the attacker that they have created an account for them on the website, complete with a generated user name and password, and that they have to log in to their accounts to retrieve the target’s Facebook account details. Just when it seems too easy, the attacker sees this upon logging in:

The "Member's Panel"click to enlarge

He/She is instructed to unlock the details in two ways. One is to share a generated referral link to their social networks (particularly Facebook and/or Twitter) in order to get 15 visitors to click it. Below is a screenshot of the tweet the attacker is encouraged to use in sharing:

Tweet template
click to enlarge

Doing a quick search on Twitter reveals these live tweets:

Twitter search results for sharesocial(dot)biz
click to enlarge

Second is to complete a survey by clicking a button, leading to a site called Download Files Fast.

This slideshow requires JavaScript.

Users are also being redirected to commentpiraterfacebook(dot)org, a site in French, when they visit hackfbaccount(dot)com and they live in a country that speaks the language.

Although it’s true that no website is perfectly secure one must not attempt to hack into them nor break into someone else’s online profile. These are illegal acts. Sites marketing themselves as free, user-friendly hacking-as-a-service (HaaS) tool, such as those I mentioned here, generally takes advantage of user distrust against someone and profits on it, promising big but deliver nothing in the end. Avoid them at all cost.

Jovi Umawing