Social Media Account Hacking using Kali Linux

Based Tool BeEF

Christopher Le1 , Rim Nassiri1 , Estephanos Jebessa1 , Jon Cathcart1 , and

Tauheed Khan Mohd1[0000−0002−7989−6908]

Department of Math and Computer Science, Augustana College, Rock Island, Illinois,
61201, USA
{christopherle19, rimnassiri21, estephanosjebessa19, joncathcart19,
tauheedkhanmohd}@augustana.edu

Abstract. Nowadays, most people, especially teenagers, have at least

one social media account. According to research done by Pew Research
Center, more than 65 percent of adults used social media in 2015. While
social media has undoubtedly brought some advantages of connecting
people, having your digital profile online can also open the destructive
potential for hackers to access your accounts. Having your social media
hacked can also mean potential risks of stealing your money or promot-
ing false information/political agendas, for example. The leading causes
of this can be social media phishing and spoofing attacks. Various tech-
niques will are discussed for hacking an individual’s social media to get
desired credentials. The technique implemented is to use a fake social
media website and a bridge (man in the middle) between that website
and a victim’s system to collect the user information desired. In doing
this, security approaches will also be discussed to help users better secure
their social media accounts.

Keywords: Fake Website, Cybersecurity, Threats, Attacks, Phishing, Spoofing,

Malware, Raspberry Pi, Kali Linux

1 Introduction
1.1 The rise of social engineering in social media’s ages
Over the past decades since the invention of social media, the number of adults
using digital profiles proliferated, with more than 68 percent of adults having at
least one social media account in 2016. For some, social media is a great way
to interact with others, make new friends, and keep in touch with your rela-
tionships, while others use social media sites to gain information from news and
blog posts. When social media has gone into everyday life, some people can use
it to make profits, be famous, or spread political agendas. With such advantages,
it is hard to imagine people’s lives without social media. However, as much as
people’s lives depend on social media, there are also many potential risks of hack-
ers gaining access to crucial information. Once they have sufficient information,
2 Tauheed Khan Mohd et al.

they can steal monetary value or users’ identities to spread false information or
other harmful actions possibly. This technique called social engineering is used
by hackers to lure victims into revealing confidential information. With social
engineering, hackers can infect systems with malware and access users’ informa-
tion. Another technique, the one used in this study, is called phishing, by using
a spoofed website[1]. Specifically, social media phishing over the recent years
has caused significant repercussions to users that do not know that this type of
hacking can happen. This type of attack consists of creating a replica or imper-
sonation of a specific website so that targeted victims to, the average eye, would
not notice any difference. This is dangerous since, without knowing a source is
fake; users will put in whatever information is required on the site and will gener-
ously give out these credentials without knowing they have been scammed. This
paper will briefly describe the background knowledge of the attacks and threats
used on the internet, and It will also discuss some of the techniques that can be
used to hack social media sites, as well as how to identify these kinds of attacks.
Lastly, the experiment in this study will present how to host a fake website and
send spoofed messages to obtain valuable information from the targeted user.

2 Related Work

2.1 Different threats in social web networks

The users are ignorant of the numerous security risks in these social web net-
works. When logging in or signing up for a social media platform, users are
requested to enter personal and private information such as their date of birth,
phone number, and email address. Additionally, after disclosing these highly
sensitive details, users tend to overshare on social media by spending more time
and effort on their profiles and updating them frequently over time. This prac-
tice enables cyber attackers to amass important data and information that will
harm users later. [2].
As a result of paying too much attention to and oversharing on the platform,
social media users have unintentionally exposed themselves to threats to their
privacy and security. These threats include classic threats, modern threats, com-
bination threats, and, last but not least, threats aimed at youngsters who use
social media [3] [4].

Classic Threats Classic threats are some of the most widespread threats out
there. They continue to be a problem and are frequently referred to as malware,
spam, cross-site scripting (XSS) attacks, or phishing. They have been addressed
in the past due to their notoriety, but they have also grown more and more vi-
ral and spread quickly among network users [5]. They attack the user and their
friends by tailoring the threat to account for the user’s personal information, tak-
ing advantage of the user’s personal information published in a social network.
The various classic threats are described below. The first type of classic threat is
malware, which is malicious software designed to obstruct computer operations
 Social Media Account Hacking using Kali Linux Based Tool BeEF 3

to gather user login information and access sensitive data. In social networks,
malware frequently hides while it seeks to propagate among users and their net-
work acquaintances. Next on the list is phishing attacks. Phishing attacks are
a type of social engineering used to get private and sensitive information from
users by pretending to be a reliable third party. There has been a significant rise
in recent years in the number of phishing attempts within social networks, par-
ticularly with the rise of fake login pages that closely mimic legitimate websites.
Among classic threats, some spammers utilize electronic messaging platforms to
deliver unwanted messages, such as ads, to other users [5]. They also use social
media platforms to leave comments on popular user-viewed pages to drive traffic
to their own pages. Last but not least, cross-site scripting (XSS) is part of classic
threats. An XSS attack is an assault against web applications. Using XSS, an
attacker can take advantage of the web client’s trust in the web application and
have it run malicious code that can gather sensitive data. XSS assaults are a
huge problem for social networks. Attackers using an XSS can produce an XSS
worm that can spread rapidly among users of social networks by using an XSS
vulnerability paired with the social network’s infrastructure. [3].

Modern Threats Usually unique to online social network environments, mod-

ern threats target the user as well as the user’s friends’ personal information.
As an example, a user might create a fake social media account disguised as
the target’s friend and add the target on that social media to gain access to
some private information only viewable to the target’s added friends, such as
the target’s high school.[3]
The following examples will represent the various modern threats that have
risked a user’s privacy on social media:
Clickjacking This is a scary and malicious technique in which the user
clicks on something utterly unrelated to what they planned to click. Because of
clickjacking, the user can accidentally activate his microphone or camera or post
spam messages on his social network timeline. [3]
De-Anonymization Attacks Users on numerous social networks can pre-
serve their privacy by adopting pseudonyms to conceal their real identity and,
thus, their vital private information. On the other hand, de-anonymization at-
tacks use techniques such as monitoring cookies, network topology, and user
group memberships to reveal the user’s true identity. Third parties, for example,
may be able to discover user identities by connecting information disclosed via
social networking sites.[3]
Face Recognition Users generally utilize online social networks to upload
images of themselves and their acquaintances for memories. Many users’ pro-
file pictures are publicly available to view and downloadable. However, these
pictures and photos can be used to establish a biometric database, which can
subsequently identify social media users without their knowledge or consent.[3].
Due to the dramatic rise of e-commerce sites, digital assets, and social network-
ing sites, individuals and organizations are suffering from lethal cyber-attacks
that could pose serious security threats.[6] While cybersecurity threats are con-
4 Tauheed Khan Mohd et al.

stantly around us, these are some of the most notorious types of attacks every
day in the modern world:
Botnet attacks Botnets have historically been used to launch denial-of-
service (DoS) or distributed denial-of-service (DDoS) attacks, as well as to
stealthily take over enterprise computing resources, typically to mine cryptocur-
rencies. Enterprises are vulnerable not only to botnet attacks but also to having
bot malware installed on their networks.
Cloud-based exploitsAs organizations continue to migrate services to the
cloud and expand on cloud infrastructure, attempts to exploit cloud resources
have increased.
Work-from-home-specific attacks Because users’ home security hygiene
is typically not as thorough as it is at the enterprise level, this has opened the
door for attacks targeting insecure WiFi networks, easily cracked passwords, and
even physical theft of devices such as laptops and smartphones.[6]
Inference attacks Inference attacks in OSNs are used to predict a user’s
personal, sensitive information, such as religious affiliation or sexual orientation,
which the user has chosen not to disclose. These attacks can be carried out by
combining data mining techniques with publicly available OSN data, such as
network topology and data from users’ friends [3].

Combination Threats In today’s advanced security systems, hackers can use

a combination of classic and modern threats to create a more sophisticated
attack. For example, an attacker might use a phishing attack to obtain a user’s
Facebook login credentials and then use cloud-based exploits to use that login
information and hack into other cloud-based services. An attacker might also
perform identity clone attacks after a phishing attack to duplicate the presence
of someone important on the web.
Since classic and modern attacks have distinct recovery processes, combina-
tion attacks are usually brutal to recover from. A person whose social media
accounts have been hacked and their identity stolen is more likely to go through
a multi-step recovery process because their entire digital reality is stolen [3].

2.2 Types of attacks

As technology development rapidly grows, cyber security has become a more

significant threat to anyone who uses the internet. With social media specifically,
phishing attacks have become a widespread annoyance for customers on these
platforms. Phishing is used by creating fake emails containing links to that fake
website to trick people into revealing sensitive information or installing malicious
malware on their devices. Smishing is a similar attack but is more commonly
used on mobile devices. This technique can be sent through text messaging
(SMS). Even though these two attack methods have been influential in the past,
applications nowadays can detect these attacks, and so they are outdated. The
most common and effective attack nowadays is social media phishing. This can
be an attack on a computer or a mobile device, which reaches all users on a
 Social Media Account Hacking using Kali Linux Based Tool BeEF 5

platform. An attacker sends messages on social media apps like Facebook and
Instagram to bait a user into giving out information that the attacker wants to
obtain. Usually, they are impersonating someone else so that the user recognizes
that individual and is easily swayed to go along with what they are being told to
do. A study in 2021 showed the success rate of each kind of attack, with social
media phishing at 52.17 percent, email phishing at 16.22 percent, and smishing
at a low 4.17 percent success rate [7]. This shows that social media phishing is
more successful than email phishing and smishing and is a dangerous attack that
needs to be detected more accurately.

2.3 Detecting Fake Websites

There are two main types of fake websites: Concocted and Spoof.[8] Concocted
websites collect users’ money and disappear. These sites are usually scams of
real estate, financial, delivery, or retail companies. Spoof sites are imitations
of actual commercial sites to deceive the authentic sites’ customers. A person
will log in to this kind of fake website, which is made for identity theft by
capturing that user’s account information. Examples of spoof websites are fake
versions of banking interfaces and eBay. This is the type of fake website that
will be experimented with. It will also be a social media impersonation since
it is the most effective and up-to-date technique. While all of this is said, with
fake websites come applications to detect them. Some examples of these tools
are SpoofGuard, Sitehound, Netcraft, eBay’s Account Guard, and AZProtect.
A study in 2009 analyzed many real and fake websites with various detection
systems, like the ones listed, to find the most accurate detection application. [9]
The results of the applications used to detect concocted and spoof-based fake
websites is shockingly low, as in inaccurate. Every application except for one
(AZProtect) is below 90 percent accuracy; overall, some being 50 percent or
lower. Specifically, with spoof detection, the majority of the tools tested were
only 40-70 percent accurate. The stand-out statistic is the percentage of false
positives, meaning that these detection tools concluded a lot of legit websites
as fake ones, ranging from 20-50 percent false positives. This shows that even
though companies have put in the hard effort by developing detection tools to
minimize the impact of phishing attacks, fake websites are still very effective and
are an ongoing threat to cyber security. This experiment is to show how easy
phishing and spoofing can be deceiving to an average internet user.

3 Research
This paper will discuss a social engineering technique to gain access to users’ in-
formation through social media websites. In the big picture, the hacking process
involves:
1. Getting user’s phone numbers
2. Sending spoofed messages to users
3. Direct user to a malware website
4. Hide digital footprints so your hacking process can’t be traced
6 Tauheed Khan Mohd et al.

3.1 Using social engineering to gain user’s phone number

One of the ways that users can create a social media account, for example, on
Facebook, is by using their phone number. This is the case when users do not
have or do not want to give out their email to be used for account creation.
However, having your actual phone number linked with social media can create
potential security risks for hackers to hack your account.
In most ways, secured social media such as Facebook will try to hide your
private phone number. In this paper, the target users are those who do not have
their personal phone numbers revealed online. In this case, we use tools such as
Canary Token [10] to create fake URLs, documents, or QR codes. The content of
the URL or document will be made to look like it is legitimate. Once users access
the URL, document, or QR code, we have information about their IP addresses.
Then, we used an IP Lookup site to discover where the user at generally, which
can tell the user’s area code. This area code is usually the first three numbers
of their phone number. Now, we have to find out the rest digits of their phone
number.
Usually, if you want to hack someone, you would know their name. Even if
not, in this digital age, names can be found in Google searches, school databases,
business cards, and email signatures concerning if the individual you want to
hack gives their full name on social media. Once you got the person’s full name,
go to forgot account section on social media such as Facebook, type in the name,
and look for the individual you want to hack. If the person is found, then choose
the option to reset the password. Facebook will ask to send the password reset
to the phone number of the email. The key here is that the last two digits of
the phone number will be revealed, which will gain you a total of 5 digits of
the user’s entire phone number. If you use an external source such as Gmail or
Paypal in the password reset section, the last four numbers of the phone number
might be revealed. This way, we only need to know the previous three middle
digits of the user’s phone number.
There are 729 combinations to find the last three digits. We wrote brute force
software, and utilize the Find Friends feature on Facebook to find the desired
individuals. The software will stop once the user’s name matches the name we
want to find. The phone number with the right name is the phone number we are
looking for. The next step is to send a fake message using to this phone number
to ask people to access a malware site.

3.2 Sending spoofed messages to users

In this section, Kali Linux [11] will be used to send spoofed messages to users,
luring them to access our fake URL. This operating system was installed on
a Raspberry Pi in this research paper. To install the operating system, first,
download the image from the Offensive Security official download page, then
install the image on the Raspberry Pi with balenaEtcher [12], a cross-platform
tool to flash OS images onto SD cards and USB drives. After setting up, go to
SET (social engineering toolkit) in Kali Linux and select SMS spoofing attack.
 Social Media Account Hacking using Kali Linux Based Tool BeEF 7

Then perform an SMS spoofing attack with the target phone number achieved
from part A. Social engineering techniques were used in this project, concerning
the senders being policed, teachers, or someone who has influenced the victim.
The content of the message should be triggering for the victims to click on the
fake URL. Once we got the victim to click on the fake URL, the rest is to get
the victim’s credentials from this website.

3.3 Direct user to a malware website

In this step, the fake URL serves as the middle bridge between the victims and
the real website. This technique is called Man In the Middle attack [13]. To
achieve this, an app within Kali called BeEF, Browser Exploitation Framework
[14], was used to hack the victim’s browser and take control of it. Once the
victim’s browser is hacked, the victim can be tricked to give away their social
media credential.

Fig. 1. BeEF’s pretty theft function interface

To operate this hack, firstly open BeEF from the Kali startup screen. On a
web server on your system, BeEF runs in the background. Once BeEF is running,
open Ice Weasel browser to access the BeEF’s interface. The default username
and password are beef. The hard part, however, is to get the victom to click
on this JavaScript link to hack their browser. This step was discussed in part
B. One way to get the victim to click on the spoofed message’s URL is to have
some kind of triggering messages such as ”Click here for more information” or
”Click here to see the video”. The script should look something like

<script src=
"http://192.168.1.101:3000/hook.js&#8221" ;
type= "text/javascript" ></script>
8 Tauheed Khan Mohd et al.

Once the victim’s browser was hooked, BeEF will show the victim’s IP ad-
dress, operating system, and browser type icon. Next, ”social engineering” fea-
ture from ”Commands” and ”Module Tree” section. Click on ”Pretty Theft”,
which will open a ”Module Results History” and ”Pretty Theft” window. This
module will enables users to send a pop-up window in the victim’s browser.
In this project, Facebook dialog box will be used. When ”Execute” button is
clicked in BeEF, a dialog box will appear in the victim’s browser. It will tells the
victim that their Facebook session has expired and they need to re-enter their
credentials.
Back on our BeEF interface, the victim’s credentials will appear in the ”Com-
mand results” window. These credentials are the victim’s email address and their
Facebook’s password. Once the credentials are achieved, login to their Facebook
can be feasble, concerning the victim did not enable two-factor authentication.
The harms the hackers can do are not limited to: stealing the victim’s identity
to send fake message, steal money from their families/friends, or blackmail the
victims, etc.

3.4 Hide digital footprints so your hacking process can’t be traced

Whenever someone visit a website or a server on the Internet, their Internet

Protocol (IP) address [15] will go with them and can be traceable. As a hacker,
they can use proxies to hide or obscure their IP address. In this way, the traffic
will go through an intermediary proxy, which sends the traffics on to the des-
tination. This method will replace the source IP address with its own. There
are also other methods to hide one’s IP such as using Tor browser [16] or using
a Virtual Private Network (VPN) [17]. However, Tor or VPN is still restricted
under law enforcement, especially the National Security Agency (NSA). As for
VPN, the IP address of the user can be traceable by the VPN provider, which
is not the ideal method to hide one’s digital footprints.
To create an intermediary proxy, Kali Linux will be used. Firstly, go to prox-
ychains by typing,

kali > proxychains

which will preveal a simple proxychains syntax. After that, precede the desired
command to run with the commain proxychains, which will allow of the internet
traffic to go through the chosen proxy. In this project, iceweasel was used with
the command

kali > proxychains iceweasel

Next, searching for proxies was requried to set up proxychains. Some of the
proxy providers are: Hide My Ass! [18], SamAir Security, Proxy4Free, Hide.me.
With SamAire security was used in this project, a free proxy was chosen
from Russia as EU and U.S Law enforcement do not have jurisdiction in Russia.
The chosen proxy was listed as high-anonymous. With the found proxy, the next
step was to configure proxychains to use it, which required a plain text file for
 Social Media Account Hacking using Kali Linux Based Tool BeEF 9

Linux/Unix applications. These files can be found in /etc directory generally

with the filename ”proxychains.conf”. Leafpad was used to open the the file
with the follwing command
kali > leafpad /etc/proxychains.conf
. Go to the bottom of the file are the proxychains which proxy to use, which is,
by default, Tor. In order not to use Tor and prevent from conflicting the NSA
law enforcement, simply put a comment mark on the default browser line. To
use the found proxies from Russia, type of proxy (HTTP) and IP address needed
to be added in the file, following with saving the proxychain.conf file and close
it.
Lastly, to send the HTTP traffic while browsing the web through the found
Russian proxy, simply open the Iceweasel browser by typing
kali > proxychains iceweasel
Now, all of the traffic will go through the proxy and will appear to be coming
from the proxy should anyone inspect the traffic, in which in this case is Russia.

4 Results
For the results, we attempted to hack 30 volunteers of our project. These individ-
uals range from college students, adults who have a Facebook accounts. We took
the occasion of layoff and recession as an opportunity to create a fake job appli-
cation website. At first, we got the volunteers’ name and email address through a
Google Form. Other way to collect these information can be done through a fake
job application form. With the name and email address, we attempted to send
a Canary Token along with the responding email for user to view the status of
their job application. Once the victims clicked on the link, they will be redirect
to a reject status page. For us, we will obtain the victim’s locations from their
IP Address. The next steps were to find the phone numbers and send spoofed
message with malware URL to the victims by Kali Linux. Once their browsers
got hook, a Facebook log in pop will keep appear until the victims entered their
credentials.
The result of our research was at follow. The cons of this approach was that
credentials entered were unknown to be correct or not. If time allows, further
test with a wider range of testers for this method is encouraged.

Fig. 2. Survey result

From our perspective, although college students were more likely to click
on job posting, they were reluctant to click on unusual URLs. For adults, they
10 Tauheed Khan Mohd et al.

were more aware before clicking any malicious links. An additional reason was
that today’s browser and smart devices would alarm people before clicking any
malicious links, making it hard to hack people’s browser. At the end, low success
rate of Facebook credentials were attained. However, it was successful to hide
our IP address with TOR browser and proxies.

4.1 How to secure your social media

That said, one of the optimal ways to secure one’s social media is to turn on two-
factor authentication [19]. The hacker can only get to the victim’s social media
only if they know the code sent to the victim’s phone number. Another way is
to be cautious with any links, pop-ups, senders and be careful before handling
any credentials. In our research case with the fake job application, verifying the
company history and the sender’s validity is required before giving any informa-
tion. Lastly, it is recommend to access secured website with HTTPS Protocol
instead of HTTP as most insecure websites are made with HTTP protocols [20].

References
1. P. B. Brandtzæg and J. Heim, “Why people use social networking sites,” in In-
ternational conference on online communities and social computing, pp. 143–152,
Springer, 2009.
2. H. Jones and J. H. Soltren, “Facebook: Threats to privacy,” Project MAC: MIT
Project on Mathematics and Computing, vol. 1, no. 01, p. 2005, 2005.
3. M. Fire, R. Goldschmidt, and Y. Elovici, “Online social networks: threats and
solutions,” IEEE Communications Surveys & Tutorials, vol. 16, no. 4, pp. 2019–
2036, 2014.
4. F. Salahdine and N. Kaabouch, “Social engineering attacks: A survey,” Future
Internet, vol. 11, no. 4, p. 89, 2019.
5. A. Mayfield, “What is social media,” 2008.
6. “Modern cybersecurity threats: An introduction.”
7. E. B. Blancaflor, A. B. Alfonso, K. Banganay, G. Dela Cruz, K. Fernandez, and
S. Santos, “Let’s go phishing: A phishing awareness campaign using smishing, email
phishing, and social media phishing tools,” in Proceedings of the International
Conference on Industrial Engineering and Operations Management, 2021.
8. A. Abbasi, F. Zahedi, and Y. Chen, “Impact of anti-phishing tool performance on
attack success rates,” in 2012 IEEE international conference on intelligence and
security informatics, pp. 12–17, IEEE, 2012.
9. A. Abbasi and H. Chen, “A comparison of tools for detecting fake websites,” Com-
puter, vol. 42, no. 10, pp. 78–86, 2009.
10. J. Edu, C. Mulligan, F. Pierazzi, J. Polakis, G. Suarez-Tangil, and J. Such, “Explor-
ing the security and privacy risks of chatbots in messaging services,” in Proceedings
of the 22nd ACM Internet Measurement Conference, pp. 581–588, 2022.
11. K. Linux, “Kali linux,” 2020.
12. G. Howser, “Raspberry pi operating system,” in Computer Networks and the In-
ternet, pp. 119–149, Springer, 2020.
13. F. Callegati, W. Cerroni, and M. Ramilli, “Man-in-the-middle attack to the https
protocol,” IEEE Security & Privacy, vol. 7, no. 1, pp. 78–81, 2009.
 Social Media Account Hacking using Kali Linux Based Tool BeEF 11

14. H. Sawant and S. Agaga, “Web browser attack using beef framework,”
15. M. Ford, M. Boucadair, A. Durand, P. Levis, and P. Roberts, “Issues with ip
address sharing,” tech. rep., 2011.
16. A. Macrina and E. Phetteplace, “The tor browser and intellectual freedom in the
digital age,” Reference and User Services Quarterly, vol. 54, no. 4, pp. 17–20, 2015.
17. P. Ferguson and G. Huston, “What is a vpn?,” 1998.
18. V. Gaikar, “Surf the internet anonymously with hide my ass!,” 2009.
19. F. Aloul, S. Zahidi, and W. El-Hajj, “Two factor authentication using mobile
phones,” in 2009 IEEE/ACS international conference on computer systems and
applications, pp. 641–644, IEEE, 2009.
20. Z. Durumeric, Z. Ma, D. Springall, R. Barnes, N. Sullivan, E. Bursztein, M. Bailey,
J. A. Halderman, and V. Paxson, “The security impact of https interception.,” in
NDSS, 2017.