'Just when we thought things couldn’t get any more volatile, along came social networking.' Jeff Aboud, In-Focus Marketing.
Copyright © 2009 Virus Bulletin
We all know that the Internet cuts both ways - particularly in today’s Web 2.0 world. Users enjoy continuous connectivity and the power to communicate in new and unique ways, whilst malware authors enjoy an endless supply of victims and the power to wreak havoc in new and unique ways. Just when we thought things couldn’t get any more volatile, along came social networking.
For years, security experts have warned users about the dangers of Internet-based threats and attempted to educate them on an array of techniques used by malware authors to trick them into opening their wares. Time and again we told users ‘don’t open attachments from anybody you do not know’, ‘don’t open suspicious attachments from anybody you do know’, ‘don’t click on embedded links’ and ‘be wary of downloading content from unfamiliar, untrusted websites’. But just as end-users were beginning to heed our warnings (albeit slowly and far from universally), along came social networking sites and reversed our teachings. Facebook, MySpace, YouTube and others taught users that embedded links were something to be followed; to download content from unknown websites was normal; and that strangers were really just friends we had not yet met - so it was OK to open their attachments, to get to know them!
Then, in December 2008, the inevitable occurred. Koobface surfaced and quickly became the most successful piece of malware to propagate via a social network. Though Koobface was a complex worm powered by a substantial bot network, its social engineering strategy was simple: infect one user and send messages from his social networking account to everybody in his network. The only difference was that the legitimate link to the social networking site would be replaced with a rogue link, redirecting to a spoofed site containing the malware’s executable. Social networks routinely send messages with embedded links, so it was natural that users would click on the link without question. Likewise, due to extraordinary levels of trust with these communications, users gladly downloaded what they were told was a required Flash update - seemingly without the slightest hesitation. Though the most prolific variant has been on Facebook, other variants have made their way through Twitter, YouTube and others.
Despite the relative success of Koobface, other malware authors have proven that its complexity was in many ways unnecessary. Due to the routine behaviours users exhibit on social networking sites, a simple comment with an embedded link posted to a popular thread can be enough to propagate malware to thousands of users. Similarly, a fraudulent account can be used to harvest email addresses and other sensitive user information, proliferate spam, or harbour malware. Though neither of these techniques possess the engine required for mass distribution as Koobface does, they also require more time to detect and eradicate than the more visible Koobface.
In each of these cases, as with traditional threats such as spam and phishing, social engineering has proven to be the most essential element to the propagation strategy. The reason is twofold: first, social networking sites rely on ‘interesting’ content. Blogs, photos, videos, even pages themselves, should be interesting. If they are, they will attract many users. Second, users exhibit an exceptional level of trust with social networking sites - meaning that a user will willingly follow links and download content from people he does not know, with the assumption that the unknown user must somehow be in his extended network. This combination adds unimaginable joy to the life of a malware author.
Malware authors will assuredly continue to develop new social engineering techniques to spread their wares via social networking sites, since end-users make themselves easy targets through their illogical behaviour. The question is, how do we reverse this behaviour? We were only marginally successful the first time around, but now there is a powerful force, with more mindshare than we will ever have, teaching users the diametric opposite. Perhaps our most promising recourse is to embrace this situation as a means to educate our business owners, once again, on the overwhelming need for endpoint security, in addition to their gateway and cloud-based solutions.