Social networking meets social engineering

2009-10-01

Jeff Aboud

In-Focus Marketing, USA
Editor: Helen Martin

Abstract

'Just when we thought things couldn’t get any more volatile, along came social networking.' Jeff Aboud, In-Focus Marketing.


We all know that the Internet cuts both ways - particularly in today’s Web 2.0 world. Users enjoy continuous connectivity and the power to communicate in new and unique ways, whilst malware authors enjoy an endless supply of victims and the power to wreak havoc in new and unique ways. Just when we thought things couldn’t get any more volatile, along came social networking.

For years, security experts have warned users about the dangers of Internet-based threats and attempted to educate them on an array of techniques used by malware authors to trick them into opening their wares. Time and again we told users ‘don’t open attachments from anybody you do not know’, ‘don’t open suspicious attachments from anybody you do know’, ‘don’t click on embedded links’ and ‘be wary of downloading content from unfamiliar, untrusted websites’. But just as end-users were beginning to heed our warnings (albeit slowly and far from universally), along came social networking sites and reversed our teachings. Facebook, MySpace, YouTube and others taught users that embedded links were something to be followed; to download content from unknown websites was normal; and that strangers were really just friends we had not yet met - so it was OK to open their attachments, to get to know them!

Then, in December 2008, the inevitable occurred. Koobface surfaced and quickly became the most successful piece of malware to propagate via a social network. Though Koobface was a complex worm powered by a substantial bot network, its social engineering strategy was simple: infect one user and send messages from his social networking account to everybody in his network. The only difference was that the legitimate link to the social networking site would be replaced with a rogue link, redirecting to a spoofed site containing the malware’s executable. Social networks routinely send messages with embedded links, so it was natural that users would click on the link without question. Likewise, due to extraordinary levels of trust with these communications, users gladly downloaded what they were told was a required Flash update - seemingly without the slightest hesitation. Though the most prolific variant has been on Facebook, other variants have made their way through Twitter, YouTube and others.

Despite the relative success of Koobface, other malware authors have proven that its complexity was in many ways unnecessary. Due to the routine behaviours users exhibit on social networking sites, a simple comment with an embedded link posted to a popular thread can be enough to propagate malware to thousands of users. Similarly, a fraudulent account can be used to harvest email addresses and other sensitive user information, proliferate spam, or harbour malware. Though neither of these techniques possess the engine required for mass distribution as Koobface does, they also require more time to detect and eradicate than the more visible Koobface.

In each of these cases, as with traditional threats such as spam and phishing, social engineering has proven to be the most essential element to the propagation strategy. The reason is twofold: first, social networking sites rely on ‘interesting’ content. Blogs, photos, videos, even pages themselves, should be interesting. If they are, they will attract many users. Second, users exhibit an exceptional level of trust with social networking sites - meaning that a user will willingly follow links and download content from people he does not know, with the assumption that the unknown user must somehow be in his extended network. This combination adds unimaginable joy to the life of a malware author.

Malware authors will assuredly continue to develop new social engineering techniques to spread their wares via social networking sites, since end-users make themselves easy targets through their illogical behaviour. The question is, how do we reverse this behaviour? We were only marginally successful the first time around, but now there is a powerful force, with more mindshare than we will ever have, teaching users the diametric opposite. Perhaps our most promising recourse is to embrace this situation as a means to educate our business owners, once again, on the overwhelming need for endpoint security, in addition to their gateway and cloud-based solutions.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.