Security threats on social networks - securitybyte.org · More than 750 million active users 50% of our active users log on to Facebook in any given day Average user has 130 friends

Security threats on

social networks

Nithya Raman

Senior Security Analyst

Symantec

Facebook - 4th largest U.S. web property in

audience size with 157.2 million visitors

Linkedin.com -33.4 million visitors

Twitter.com -27.0 million visitors

All-time U.S.

audience highs

in May 2011

Data from comScore

Rise of social networking

More than 750 million active users

50% of our active users log on to

Facebook in any given day

Average user has 130 friends

People spend over 700 billion minutes per

month on Facebook

People on Facebook install 20 million

applications every day Data from Facebook

Facebook Statistics

Attacks on social networks

Malicious applications

Both Facebook and Twitter allow third

party applications

Spam applications are a common

occurrence on these sites

Applications have also been used to

spread adware, phishing links and other

malware

Malicious applications on Facebook and Twitter

Automatically adds status messages and wall

posts/tweets

Usually leads to human verification

tests/surveys. You're tricked into believing that

you need to complete the survey in order to see

the promised content.

The scammers, meanwhile, are earning

commission for every survey completed, and are

using your Facebook account to spread the links

even further.

Spam applications

Facebook spam app

Facebook spam app

Spam Link Number of clicks

bit.ly/e9zZvk 281,167

bit.ly/dSUqN6 85,833

bit.ly/fCTbAB 71,372

bit.ly/fQEUl9 21,267

Clicks data for spam apps

Similar to spam applications, usually

spreads using wall posts/tweets and

messages

Applications can redirect to

- fake codec/antivirus pages

- phishing pages

- other malware/exploits

Malware applications

Adware App

Adware App

Twitter spam app

» Screenshots from Sophos

Koobface

First appeared in late 2008

Spreads across social networks like

Facebook, MySpace and Twitter

Uses wall posts/tweets containing a link

that usually leads to a page which looks

like a YouTube video

Offers a fake Adobe Flash Player update –

Koobface Zombie executable

What is Koobface?

Spread through social networks

Steal confidential information, software license keys

Redirect web browsing to malicious sites and inject

advertising

Intercept Internet traffic and block access to certain

Internet sites

Download additional files/pay-per-install software

Break CAPTCHAs, determine if a link is blocked by

Facebook

Create new Blogspot accounts and pages

Modify the Hosts file

Koobface behaviour

Wall Posts/Tweets

Direct messages

Koobface links are usually accompanied

with enticing messages such as

Cool Video <malicious link>

LOL <malicious link>

Last Video <malicious link>

Spreading techniques

Redirection from blogspot.com pages

De-obfuscated code:

Fake Youtube Video

Malicious link Count

Blogspot.com pages 15841

'bit.ly' shortened

links

37133

Google links

184

Other links 1035

Koobface data

Blogspot.com pages

15841 29.2%

bit.ly' short links 37133 68.5%

Google links 184

0.3%

Other links 1035 1.9%

Koobface links

Total number of unique Koobface links :54193

Total number of clicks 3,671,541

Average number of clicks per link 99

Maximum number of clicks per link 12836

Number of links with over 10K clicks 73

‘bit.ly’ link statistics

Multiple redirections

Shortened links

69% of links collected were „bit.ly‟ short links

Referrer URL check

Google news page/ other clean pages in case Referrer

is not set

User Agent check

Broken URLs

Adding random text just before the valid URL link

Detection evasion techniques

Script Attacks

Manual script attacks

Clickjacking

Cross-Site Scripting (XSS)

Types of script based attacks

Manual script scams

User is lured with a message as bait to a

prepared site.

User is asked to copy a Javascript to the

browser address bar and to click the

„Enter‟ key.

Manual script scams

Updates your FB status with these spam messages and

also post on your friends wall.

Sends chat messages to friends

Adds “Likes” to different Facebook pages

Tags you in images

Create an event and send an invitation to all your

friends.

Facebook provides a personalized email id, using which

you can update your FB status. This script tries to gain

access to this personalized email id, so the hacker can

update your FB status anytime.

http://www.facebook.com/mobile/?v=photos

Script behavior

Sample scripts

Manual script scam – Wall posts

Osama scam

Profile Views

Clickjacking

The practice of deceptively directing a

website visitor‟s clicks to an undesired

element of another site

Attacker overlays multiple transparent or

opaque layers to trick a user into clicking

on a button or link on another page

Clicks meant for original page are hijacked

and routed to another page

What is clickjacking?

Facebook like-jacking

Facebook like-jacking

Facebook like-jacking

Cross-Site Scripting

(XSS) attacks

Cross-Site Scripting attacks are a type of

injection problem, in which malicious

scripts are injected into the otherwise

benign and trusted web sites.

Facebook has been vulnerable to both

persistent and non-persistent XSS attacks

Cross-site scripting on Facebook

Vulnerability existed in the mobile API

version of Facebook due to insufficient

JavaScript filtering

hxxp://m.facebook.com/connect/prompt_fee

d.php?display=wap&user_message_prom

pt=<script>alert(document.cookie);</sc

ript>

Non-persistent XSS – Facebook worm (March 2011)

The shortened tinyurl.com link redirects to the following URL(de-

obfuscated)

hxxp://m.facebook.com/connect/prompt_feed.php?display=wap&user_

message_prompt='<script>window.onload=function(){document.for

ms[0].message.value='jangan salahin w kalo lo bakal ngakak

ngeliat ni orang :D

http://tinyurl.com/sampahh';document.forms[0].submit();}</script>

This URL automatically adds a wall post with the message 'jangan

salahin w kalo lo bakal ngakak ngeliat ni orang :D

hxxp://tinyurl.com/sampahh'.

Non-persistent XSS – Facebook worm

Twitter trends attacks

Look for latest news and events – Twitter

trending topics

http://api.twitter.com/1/trends/current.json

Twitter trending topics poisoning

Mask the malicious URLs

URL-shortening services are commonly

used on services like Twitter in order to

conserve space

Various shortening services such as

tinyurl.com, bit.ly, tiny.cc have been used

to mask URLs

Twitter trending topics poisoning

Compose a collection of messages to

tweet

Create messages with Twitter trending

topics/ hashtags planted randomly into the

message

Start tweeting!

Tweets are sent from a different

fraudulent/ compromised accounts

Twitter trending topics poisoning

Phishing

Spoofed websites designed to fool

recipients into divulging their credentials

Again, these scams are usually

accompanied with enticing messages

Wall posts, messages or tweets could

contain

- direct links to the phishing site

- obfuscated shortened links

- via. applications

Facebook and Twitter phishing scams

Facebook Phishing wall posts

Facebook Phishing page

Link on the tweet First Redirection Second redirection

http://t.co/QYQfGIa http://kurz.es/8b3fcb http://itwittiler.com/twitterlogin1

http://kurz.es/8b3fcb

http://itwittiler.com/twitterlog

in1

http://t.co/lAyDmRZ http://i2h.de/b0tb

http://xxx-black-

book.com/twitterlogin1/

http://t.co/9hk72A5 http://kurz.es/8b3fcb http://itwittiler.com/twitterlogin1

http://t.co/PaFDmUJ http://kurz.es/8b3fcb http://itwittiler.com/twitterlogin1

http://i2h.de/b0tb

http://xxx-black-

book.com/twitterlogin1/

Twitter phishing links

Twitter phishing page

Questions?

[email protected]

Thank You!