So I got one of those “don’t accept Anwar Jitou’s friendship request” messages on Facebook. Apparently, he’s some kind of magical hacker who can do impossible things. Here is the chain letter message:

“Please tell all the contacts in your Messenger list, not to accept Anwar Jitou’s friendship request. He is a hacker and has the system connected to your Facebook account. If one of your contacts accepts it, you will also be hacked, so make sure that all your friends know it. Thanks. Forwarded as received.”

I was going to just send this to the person who sent it to me, but it’s better to post here so everyone knows this stuff.

Note: The name in this chain letter has been changed repeatedly. The most recent one I saw was Jayden Smith, so unless Will Smith’s son has become an elite hacker, it’s probably just as fake. Yes, I know the spelling is different, but then I wouldn’t be able to make the joke now would I?

For the rest of this post, I’m sticking to Anwar Jitou, as that’s the name that was on the one I was sent.

Stop adding people you don’t know

To begin with, don’t add people you don’t know. When you add anyone on Facebook, you are giving them access to your Friends Only data. That includes pictures of you that are only meant for your friends. If you’re just going to add anyone, you might as well undo the privacy settings on your account.

You often read about some random teenager who is complaining that people hacked her account and stole all of her pictures. I know people like this. In reality, no one hacked anything. Typically those photos got out because of one of the following:

  • You left your account privacy settings configured to allow anyone on the planet to see your pictures.
  • You added a “friend” who was just adding you to gain access to your pictures. Their account is likely as fake as the profile photo they used to fool you with.
  • You have a friend or friends who shared all of your pictures with the world.

At any rate, no one hacked anything. You just gave the wrong people access to your stuff.

Fake Facebook Accounts

Fake facebook accounts often use photos of models
Denise Milani does not live in Asheboro, North Carolina.

I know I don’t have to tell you that not everyone on Facebook is who they say they are. Still, there are far too many people who add fake Facebook accounts to their Friends list. You know good and well Zac Efron is not trying to add you on Facebook, and Denise Milani doesn’t live in Asheboro, North Carolina.

Fake Facebook accounts are annoying but adding them doesn’t hack your account. What it does do is provides the scammer a way to contact you more directly and gives them access to your Friend’s Only information. This means they can now copy all of your details and photos. Why would they want to do that?

To pretend to be you.

When a scammer creates an account with your name, photos, and details, it makes the account look convincingly like yours. They can then try to add your friends who, if they don’t question why you’re adding them again, will simply connect to the fake account and continue the cycle. It also gives the scammer a better footing when they try to scam or harass your friends. Meanwhile, your friends will think it’s you.

This is not how hacking works

Based on this chain letter, somehow Anwar Jitou can magically suck out your login information through Facebook just by connecting to you or your friends. Someone needs to call the Winchesters because this guy must be a warlock.

Someone can’t “hack” you just because they are connected to you or a friend of yours. Being connected only provides the same access your friends have. Unless you happen to be sharing your login information with your friends, connecting to a “hacker” doesn’t help them break into your account.

But then, I forgot. Anwar Jitou is a super hacker because he “has the system connected to your Facebook account”. What system? This isn’t some crappy TV show on CBS. Anwar Jitou’s “system” is as made up as he is.

Anwar Jitou must be Hackerman
Hackerman: The world’s most incredible hacker

How do people hack your account

Hackers break into your account through the traditional, very well known methods. Below are the most common ways, complete with an explanation of what they do.

Keyloggers

If you want to access any kind of account online, typically you need login information. If you don’t know the login details — such as the username/email and password — you aren’t going to get very far. This is where keyloggers come into play.

A keylogger is a piece of software that keeps track of every keystroke you make. Yes, everything. When you type your passwords, book reports, instant messages to your mother, the software keeps track of it. There are legitimate uses of this type of software, such as a parent keeping track of what their kids are doing online.

But in this case, we are talking about keyloggers that were installed by someone who wants to gain access to your account information for everything you log into.

So where do keyloggers come from? Well, they can come from a number of places. Some are included in files, such as hacked torrents on file sharing networks or downloads from websites. Others are included as part of an add-on for another piece of software you are installing. My daughter, for instance, has a habit of installing this kind of junk by clicking through installation screens without reading them. It isn’t until later that things start going funky with her laptop and Malwarebytes must come to the rescue.

Malware shows up primarily through infected files you’ve downloaded and on occasion, security holes in software that allow an attacker access to your machine. However, if an attacker has access to your computer in that way, they won’t care about your Facebook account. They’ll be there to do real damage to you through ransomware, wiping your computer, and/or looking for banking information. Basically, your Facebook account will be the least of your worries.

Brute Force

Another method to break into your account is with the use of brute force login tools. This essentially allows them to try thousands of login combinations in seconds. Yes, this is automated. Someone isn’t sitting there just trying passwords like some espionage movie from the 80’s.

Brute force tools usually start with well-known passwords and dictionary attacks (words from the dictionary). This is why you don’t use easy passwords. You aren’t just trying to protect against people who have a high vocabulary, you’re trying to protect against machines which have a complete vocabulary.

The use of 2FA (two-factor authentication) can help prevent unauthorized access to your account. Instead of just entering your login information as you do on most websites, you will be given a second step. Most of these involve your phone, either with a security code in a text message or the use of a third party app like Duo. After you log into with your username/email and password, you will then have to enter a code sent to your phone or click a button on an app. This prevents anyone from gaining access if they do not have your device.

Think of 2FA like entering a house that has a deadbolt. If you only have a key for the doorknob, you can’t get in.

Phishing

Phishing is likely the most used method to gain access to an account of any type. Even if you don’t know it by name, you likely have received a phishing email at some point. I get emails from Bank of America all the time, requesting that I log into one of their pages to change my information. The problem is that I’ve never had a Bank of America account.

In fact, there isn’t even a Bank of America in my city.

Phishing is essentially the practice of someone pretending to be someone or something they aren’t, hoping you will give them sensitive information. You’ll often see phishing emails for Paypal, Amazon, Bank of America, and even your own ISP (I’ve seen more than enough phishing emails for Centurylink in my time working there). The attacker is hoping you’ll believe the site is real and add your details. Once you do, they have your information and your account is not compromised.

Most of the time these are easy to debunk. For one, typically the sites don’t work very well. The attacker will have copied enough of the page likeness to appear maybe 80% realistic. Once you start trying to visit other pages, you soon find out that either they don’t work or the URL address suddenly changes to the legitimate one.

And that’s another thing.

The URL is never correct. You may see paypal.com in the URL, but it’s not really paypal.com. They’ve simply added it to the URL of their phishing site. As a web developer, I see this kind of stuff a lot. It’s easy to spot but for someone who doesn’t see this stuff every day, tools like Avast can help keep you from visiting fake sites. Google Chrome can do the same, with a built-in ability to block you from visiting sites it believes are phishing sites.

There are also additional resources that can help teach you how to avoid phishing scams.

Last but not least

The Anwar Jitou chain letter is becoming an increasingly well-known hoax. However, as anyone who has been on Facebook for longer than 5 minutes can tell you, Facebook is full of hoaxes and misinformation. People don’t care about things being real. They read a headline, assume it’s the truth and proceed to spread it around the web like it’s a fact. This is clearly apparent in the number of people who still share posts like “Doctors will perform a life-saving operation on this child if we get 10k shares!” I still can’t wrap my head around how some people can believe there is a doctor out there who works for Facebook likes and shares.

So to recap:

OK, all done. You may now continue on Facebook with your cat picture sharing or fake experting. At least, that’s what most of Facebook seems to be these days.