Here is how and why Angaraag Mahanta's official Facebook Page was Hacked - Hackatrick - Technology With Security

5 February 2016

Here is how and why Angaraag Mahanta's official Facebook Page was Hacked

On 23rd January I woke up in the morning and as usual I was scrolling through my facebook feeds. I saw few spammy links getting shared from the official facebook page of Angaraag Mahanta. For those of you who don't know,  Angarag Mahanta, known by his nickname Papon, is an Indian singer, composer and record producer from Assam. He is the lead singer and founder of the folk-fusion band called Papon and The East India Company. He recently won Best bollywood playback singer for the song "Moh Moh Ke Dhage" – Dum Laga Ke Haisha.

At first I thought why would he shared such links? and when I saw that few more links of the same website is getting shared, I was sure that either his page got hacked or it was infected by some malicious app.

Few hours later and more links of the same domain ( ) were getting shared. The situation was getting worse as mostly NSFW contents were getting shared.

Here are few of the post which were shared on the page.

So I reached out to Angaraag Mahanta to know what exactly is happening. It turns out that I was right. His facebook page got hacked and the hacker removed Papon from being the page admin.

Here is the tweet that he made after his page got hacked.

How The Account Was Hacked ?

The hacker did a phishing attack to get the email ID and Password of the personal facebook account that was used by Angaraag Mahanta. 

Phishing is a form of attack in which the attacker tries to get information such as login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels. Typically a victim receives a message that appears to have been sent by a known contact or organization. An attachment or links in the message may direct them to a malicious website set up to trick them into divulging personal and financial information, such as passwords, account IDs or credit card details. 

Generally in phishing attack, the attacker makes a fake login page which looks exactly same as a legitimate one, only the URL of the page differs. The only way to know if the page is a genuine one or fake is is by looking at the URL.

But here the case was different. Here the attacker did not create a login page in some other URL. To make it look more genuine, the hacker created a facebook app and hosted the phishing page inside it. So the link appeared as

After looking at this link, most of the people will be convinced that its genuine and not a fake one.

Here is the phishing page that was used to get the email and Password of Angaraag Mahanta.

As you can see it is a well crafted phishing page and a non technical person can never make out that its a phishing page.

Why The account was Hacked ?

The account was hacked mainly for profit and earning money. After his page was compromised, many news channels thought that may be some rivals of him might have done it. But I have a different theory.

Even After getting full access to the page, the hacker did not write anything against him on the page. All he did was, shared links of a particular site ( ) . According to me, The sole purpose of the hacker was to make money from the traffic that he would get from the page. Angaraag Mahanta's facebook page have a huge number of active followers and anything that he shares gets thousands of likes and shares. The hacker wanted to take the advantage of that.

After looking at the WHOIS record of the site ( ), we get to know that the site was created on 21st January. The hacker added a adsense account to it which means that he would earn from each visit that he gets on the site. Next the hacker wanted lots of traffics on his site so that he can earn. So he targeted Angaraag Mahanta's facebook page and managed to grab a lot. (I think)

As the hacker removed the admin from the page so it took us some time to get it back . We contacted Facebook Head Office regarding this and after working for 2 days  I was able to get back the page  on 25th January night and secure it. 

Once we got admin rights , I was inside the page and I saw that the hacker made almost 15 schedule post on the page. I removed all of those and also made changes on the page and secured it.

On 26th January Angaraag Mahanta made a post and thanked me for helping him recover the page.

Hello people! Happy to announce that after 4 frustrating days of crazy links posted on my page and multiple attempts...
Posted by Angaraag PAPON Mahanta on Monday, 25 January 2016

He met me on 31st january, at Rongali . He is such a humble person. I am happy I was able to help him.

Me and my friend with Papon Da

Final Words

The hacker calculated a lot before he carried out the attack. The website ( ) was created 2 days prior to the attack and the hacker made the WHOIS record as private so that it become hard to trace. also since the website was new, there were no previous records of the site on the net.

Facebook page managers of celebrities should be very careful while clicking on suspicious links as most of the cyber criminals and fraudsters target such popular pages.