Security threats on social networks

Security threats on social networks Nithya Raman

Senior Security Analyst Symantec

Rise of social networking

Facebook - 4th largest U.S. web property in audience size with 157.2 million visitors Linkedin.com -33.4 million visitors Twitter.com -27.0 million visitors All-time U.S. audience highs in May 2011 Data from comScore

Facebook Statistics

 More than 750 million active users  50% of our active users log on to Facebook in any given day  Average user has 130 friends  People spend over 700 billion minutes per month on Facebook  People on Facebook install 20 million applications every day Data from Facebook

Attacks on social networks

Malicious applications

Malicious applications on Facebook and Twitter

 Both Facebook and Twitter allow third party applications  Spam applications are a common occurrence on these sites  Applications have also been used to spread adware, phishing links and other malware

Spam applications

 Automatically adds status messages and wall posts/tweets  Usually leads to human verification tests/surveys. You're tricked into believing that you need to complete the survey in order to see the promised content.  The scammers, meanwhile, are earning commission for every survey completed, and are using your Facebook account to spread the links even further.

Facebook spam app

Facebook spam app

Clicks data for spam apps

Spam Link

Number of clicks

bit.ly/e9zZvk

281,167

bit.ly/dSUqN6

85,833

bit.ly/fCTbAB

71,372

bit.ly/fQEUl9

21,267

Malware applications

 Similar to spam applications, usually spreads using wall posts/tweets and messages  Applications can redirect to - fake codec/antivirus pages - phishing pages - other malware/exploits

Adware App

Adware App

Twitter spam app

»

Screenshots from Sophos

Koobface

What is Koobface?

 First appeared in late 2008  Spreads across social networks like Facebook, MySpace and Twitter  Uses wall posts/tweets containing a link that usually leads to a page which looks like a YouTube video  Offers a fake Adobe Flash Player update – Koobface Zombie executable

Koobface behaviour  Spread through social networks  Steal confidential information, software license keys  Redirect web browsing to malicious sites and inject advertising  Intercept Internet traffic and block access to certain Internet sites  Download additional files/pay-per-install software  Break CAPTCHAs, determine if a link is blocked by Facebook  Create new Blogspot accounts and pages  Modify the Hosts file

Spreading techniques

 Wall Posts/Tweets  Direct messages Koobface links are usually accompanied with enticing messages such as Cool Video LOL Last Video

Redirection from blogspot.com pages

De-obfuscated code:

Fake Youtube Video

Koobface data Malicious link

Count

Koobface links

Blogspot.com pages 15841 'bit.ly' shortened links

Google links Other links

37133

bit.ly' short links 37133 68.5%

Google links 184 0.3% Other links 1035 1.9%

184

1035

Total number of unique Koobface links

Blogspot.co m pages 15841 29.2%

:54193

‘bit.ly’ link statistics

Total number of clicks

3,671,541

Average number of clicks per link

99

Maximum number of clicks per link

12836

Number of links with over 10K clicks

73

Detection evasion techniques

 Multiple redirections  Shortened links 69% of links collected were „bit.ly‟ short links  Referrer URL check Google news page/ other clean pages in case Referrer is not set  User Agent check  Broken URLs Adding random text just before the valid URL link

Script Attacks

Types of script based attacks

 Manual script attacks  Clickjacking  Cross-Site Scripting (XSS)

Manual script scams

Manual script scams

 User is lured with a message as bait to a prepared site.  User is asked to copy a Javascript to the browser address bar and to click the „Enter‟ key.

Script behavior  Updates your FB status with these spam messages and also post on your friends wall.  Sends chat messages to friends  Adds “Likes” to different Facebook pages  Tags you in images  Create an event and send an invitation to all your friends.  Facebook provides a personalized email id, using which you can update your FB status. This script tries to gain access to this personalized email id, so the hacker can update your FB status anytime. http://www.facebook.com/mobile/?v=photos

Sample scripts

Manual script scam – Wall posts

Osama scam

Profile Views

Clickjacking

What is clickjacking?

 The practice of deceptively directing a website visitor‟s clicks to an undesired element of another site  Attacker overlays multiple transparent or opaque layers to trick a user into clicking on a button or link on another page  Clicks meant for original page are hijacked and routed to another page

Facebook like-jacking

Facebook like-jacking

Facebook like-jacking

Cross-Site Scripting (XSS) attacks

Cross-site scripting on Facebook

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Facebook has been vulnerable to both persistent and non-persistent XSS attacks

Non-persistent XSS – Facebook worm (March 2011)

Vulnerability existed in the mobile API version of Facebook due to insufficient JavaScript filtering

hxxp://m.facebook.com/connect/prompt_fee d.php?display=wap&user_message_prom pt=alert(document.cookie);

Non-persistent XSS – Facebook worm

 The shortened tinyurl.com link redirects to the following URL(deobfuscated) hxxp://m.facebook.com/connect/prompt_feed.php?display=wap&user_ message_prompt='window.onload=function(){document.for ms[0].message.value='jangan salahin w kalo lo bakal ngakak ngeliat ni orang :D http://tinyurl.com/sampahh';document.forms[0].submit();}  This URL automatically adds a wall post with the message 'jangan salahin w kalo lo bakal ngakak ngeliat ni orang :D hxxp://tinyurl.com/sampahh'.

Twitter trends attacks

Twitter trending topics poisoning

 Look for latest news and events – Twitter trending topics http://api.twitter.com/1/trends/current.json

Twitter trending topics poisoning

 Mask the malicious URLs URL-shortening services are commonly used on services like Twitter in order to conserve space Various shortening services such as tinyurl.com, bit.ly, tiny.cc have been used to mask URLs

Twitter trending topics poisoning

 Compose a collection of messages to tweet Create messages with Twitter trending topics/ hashtags planted randomly into the message  Start tweeting! Tweets are sent from a different fraudulent/ compromised accounts

Phishing

Facebook and Twitter phishing scams

 Spoofed websites designed to fool recipients into divulging their credentials  Again, these scams are usually accompanied with enticing messages  Wall posts, messages or tweets could contain - direct links to the phishing site - obfuscated shortened links - via. applications

Facebook Phishing wall posts

Facebook Phishing page

Twitter phishing links

Link on the tweet

First Redirection

Second redirection

http://t.co/QYQfGIa http://kurz.es/8b3fcb http://itwittiler.com/twitterlogin1 http://itwittiler.com/twitterlog http://kurz.es/8b3fcb in1 http://xxx-blackhttp://t.co/lAyDmRZ http://i2h.de/b0tb book.com/twitterlogin1/ http://t.co/9hk72A5 http://kurz.es/8b3fcb

http://itwittiler.com/twitterlogin1

http://t.co/PaFDmUJ http://kurz.es/8b3fcb http://xxx-blackhttp://i2h.de/b0tb book.com/twitterlogin1/

http://itwittiler.com/twitterlogin1

Twitter phishing page

Questions? [email protected]

Thank You!