Social networking meets social engineering


Jeff Aboud

In-Focus Marketing, USA
Editor: Helen Martin


'Just when we thought things couldn’t get any more volatile, along came social networking.' Jeff Aboud, In-Focus Marketing.

We all know that the Internet cuts both ways - particularly in today’s Web 2.0 world. Users enjoy continuous connectivity and the power to communicate in new and unique ways, whilst malware authors enjoy an endless supply of victims and the power to wreak havoc in new and unique ways. Just when we thought things couldn’t get any more volatile, along came social networking.

For years, security experts have warned users about the dangers of Internet-based threats and attempted to educate them on an array of techniques used by malware authors to trick them into opening their wares. Time and again we told users ‘don’t open attachments from anybody you do not know’, ‘don’t open suspicious attachments from anybody you do know’, ‘don’t click on embedded links’ and ‘be wary of downloading content from unfamiliar, untrusted websites’. But just as end-users were beginning to heed our warnings (albeit slowly and far from universally), along came social networking sites and reversed our teachings. Facebook, MySpace, YouTube and others taught users that embedded links were something to be followed; to download content from unknown websites was normal; and that strangers were really just friends we had not yet met - so it was OK to open their attachments, to get to know them!

Then, in December 2008, the inevitable occurred. Koobface surfaced and quickly became the most successful piece of malware to propagate via a social network. Though Koobface was a complex worm powered by a substantial bot network, its social engineering strategy was simple: infect one user and send messages from his social networking account to everybody in his network. The only difference was that the legitimate link to the social networking site would be replaced with a rogue link, redirecting to a spoofed site containing the malware’s executable. Social networks routinely send messages with embedded links, so it was natural that users would click on the link without question. Likewise, due to extraordinary levels of trust with these communications, users gladly downloaded what they were told was a required Flash update - seemingly without the slightest hesitation. Though the most prolific variant has been on Facebook, other variants have made their way through Twitter, YouTube and others.

Despite the relative success of Koobface, other malware authors have proven that its complexity was in many ways unnecessary. Due to the routine behaviours users exhibit on social networking sites, a simple comment with an embedded link posted to a popular thread can be enough to propagate malware to thousands of users. Similarly, a fraudulent account can be used to harvest email addresses and other sensitive user information, proliferate spam, or harbour malware. Though neither of these techniques possess the engine required for mass distribution as Koobface does, they also require more time to detect and eradicate than the more visible Koobface.

In each of these cases, as with traditional threats such as spam and phishing, social engineering has proven to be the most essential element to the propagation strategy. The reason is twofold: first, social networking sites rely on ‘interesting’ content. Blogs, photos, videos, even pages themselves, should be interesting. If they are, they will attract many users. Second, users exhibit an exceptional level of trust with social networking sites - meaning that a user will willingly follow links and download content from people he does not know, with the assumption that the unknown user must somehow be in his extended network. This combination adds unimaginable joy to the life of a malware author.

Malware authors will assuredly continue to develop new social engineering techniques to spread their wares via social networking sites, since end-users make themselves easy targets through their illogical behaviour. The question is, how do we reverse this behaviour? We were only marginally successful the first time around, but now there is a powerful force, with more mindshare than we will ever have, teaching users the diametric opposite. Perhaps our most promising recourse is to embrace this situation as a means to educate our business owners, once again, on the overwhelming need for endpoint security, in addition to their gateway and cloud-based solutions.



Latest articles:

VB2018 paper: Lazarus Group: a mahjong game played with different sets of tiles

The number of incidents attributed to the Lazarus Group, a.k.a. Hidden Cobra, has grown rapidly since its estimated establishment in 2009. In this paper, ESET researchers Peter Kalnai and Michal Poslusny look at various cells within the group, that…

VB2018 paper: Fake News, Inc.

As the world grapples with massive disinformation campaigns waged by the intelligence agencies of hostile nations, we should not forget that such activities are not limited to the purview of the Bears or Pandas of the world, and that even relatively…

Alternative communication channel over NTP

Nikolaos Tsapakis explores Network Time Protocol (NTP) as an alternative communication channel, providing practical examples, code, and the basic theory behind the idea.

VB2018 paper: Under the hood: the automotive challenge

In an average five-year-old car, there are about 30 different computers on board. In an average new car, there are double that number, and in some cases up to 100. That’s the size of network an average SMB would have, only there’s no CIO/CISO, and…

VB2018 paper: Android app deobfuscation using static-dynamic cooperation

Malicious Android applications are quite common, and can even be found from time to time in the Google Play Store. Thus, a lot of work has been done in both industry and academia on Android app analysis, and in particular, static code analysis. One…

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.