Today’s hidden dangers: Social networks under attack
•
9 likes•5,670 views
A timeline of security incidents on social networks in 2009.
Recommended
More Related Content
Similar to Today’s hidden dangers: Social networks under attack
Similar to Today’s hidden dangers: Social networks under attack (7)
Recently uploaded
Recently uploaded (20)
Today’s hidden dangers: Social networks under attack
- 1. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) Today’s hidden dangers: Social networks under attack Ștefan Tănase Senior Regional Researcher Kaspersky Lab EEMEA Webstock 2009 – Bucharest, Romania - 18 September 2009
- 2. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) • Do you believe in superstitions? I don’t. • 911 - emergency phone number • Today: • 18 September 2009, 18.09.2009, 18.09.09, 18.9.9 • 1 + 8 = 9 • Today’s presentation: • 11 security incidents that changed the social networking world in 2009. 11 and 09. • Social networks: 911 Overview 18 September 2009 Webstock 2009
- 3. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) LinkedIn – just a starter 18 September 2009 Webstock 2009 • Massive malware campaign starts targeting LinkedIn • Why LinkedIn? Beacause it worked! • Blackhat SEO • By googling for “Jessica Alba naked” or “Keri Russell nude” the user would find the malicious profiles indexed • Top 5 in SERPS • January 2009 - Bogus LinkedIn profiles serving malware
- 4. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) • February 2009 – First commercial Twitter spamming tool • Tweettornado.com - “fully automated advertising software for Twitter” • Was empowering phishers, spammers, malware authors and everyone with the ability to generate unlimited Twitter accounts • Features: add unlimited number of followers, automatically update all accounts through proxy servers with identical messages Twitter spam gets automated 18 September 2009 Webstock 2009
- 5. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) • April 2009 – Twitter gets hit by XSS worm • Multiple variants of the worm were identified • Thousands of spam messages containing the word "Mikeyy“ filled the timeline • Proof of concept – no malicious intent • Author got a job at a web security company Comeback of the XSS worm 18 September 2009 Webstock 2009
- 6. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) Comeback of the XSS worm 18 September 2009 Webstock 2009
- 7. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) Social engineering at its best 18 September 2009 Webstock 2009 • Public information posted to social networks by twitter admin • Used by French hacker in social engineering attack • To answer Yahoo! Mail security question and reset the password • “Wow - my Yahoo mail account was just hacked.“ • “If anyone with Yahoo! Security is out there, hit me up with an reply“ • April 2009 – Twitter admin panel gets hacked
- 8. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) • May 2009 – Harvesting email addresses in real time • Why search for emails when you can get fresh ones in real time? • http://search.twitter.com/ is the answer! • Simple, but effective search queries: • “email me at” + “yahoo.com” • “contact me at” + “gmail.com” • Personalized attacks start happening What are you doing? Harvesting. 18 September 2009 Webstock 2009
- 9. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) Trendy malware 18 September 2009 Webstock 2009 • June 2009 – Trending topics start being exploited
- 10. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) Short URLs, big problems 18 September 2009 Webstock 2009 • The best things about short URLs • There are so many! • Problems with short URLs: • Social engineering is easy • Questionable reliability • Implicit trust • Cli.gs gets hacked, no malicious intent – but what if? • Too many redirects hosted in the same place is not good news • June 2009 – URL shortening service Cli.gs gets hacked
- 11. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) • June 2009 – Guy Kawasaki's Twitter account hijacked • Of course, it was used to push malware. • Both Windows and Mac malware. • 140,000 Twitter users were potential victims. • The hook? “sex tape video free download” Follow me! Me me me! 18 September 2009 Webstock 2009
- 12. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) The web 2.0 worm 18 September 2009 Webstock 2009 • June 2009 – Explosive growth of Koobface modifications • The number of variants detected jumped from 324 at the end of May to almost 1000 by the end of June 2009 • This sign of increased cybercriminal activity involving social networks in the past months proves that the strategies being used by the bad guys to infect users are much more efficient when adding the social context to the attacks
- 13. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) The web 2.0 worm 18 September 2009 Webstock 2009
- 14. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) Koobface on the tweet 18 September 2009 Webstock 2009 • June 2009 – Koobface spreading through Twitter also • First discovered one year ago by Kaspersky Lab, Koobface was only targeting Facebook and MySpace users • Being constantly “improved”, now spreading through more social networks: Facebook, MySpace, Hi5, Bebo, Tagged, Netlog and most recently… Twitter
- 15. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) One bird and two stones 18 September 2009 Webstock 2009 • August 2009 – Twitter knocked offline by DDoS attack • The morning of August 6th - Twitter gets hit for an extended period of time • Rumors they are facing a massive distributed denial-of-service attack • Twitter confirmed the outage in a brief status message • Service was restored gradually, first in the US, then the rest of the world • Problems with the API lasted several days
- 16. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) That’s it? 18 September 2009 Webstock 2009
- 17. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) What’s next? 18 September 2009 Webstock 2009 • It is just the beginning • Attack techniques exploiting social networks will continue to grow • Social networks will open up new ways for targeted attacks against individuals • It will be very hard for social networks to do better: their business means usability, not security • Be careful out there!
- 18. Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level June 10th, 2009 Event details (title, place) Thank you! stefant@kaspersky.ro twitter.com/stefant Ștefan Tănase Webstock 2009 - Bucharest, Romania - 18 September 2009 Senior Regional Researcher Kaspersky Lab EEMEA
Editor's Notes
- Last week, a commercial Twitter spamming tool (tweettornado.com) pitching itself as a “fully automated advertising software for Twitter” hit the market, potentially empowering phishers, spammers, malware authors and everyone in between with the ability to generate bogus Twitter accounts and spread their campaigns across the micro-blogging service. TweetTornado allows users to create unlimited Twitter accounts, add unlimited number of followers, which combined with its ability to automatically update all of bogus accounts through proxy servers with an identical message make it the perfect Twitter spam tool. TweetTornado’s core functionality relies on a simple flaw in Twitter’s new user registration process. Tackling it will not render the tool’s functionality useless, but will at least ruin the efficiency model. Sadly, Twitter doesn’t require you to have a valid email address when registering a new account, so even though a nonexistent@email.com is used, the user is still registered and is allowed to use Twitter. So starting from the basics of requiring a validation by clicking on a link which will only be possible if a valid email is provided could really make an impact in this case, since it its current form the Twitter registration process can be so massively abused that I’m surprised it hasn’t happened yet. Once a Twitter spammer has been detected, the associated, and now legitimate email could be banned from further registrations, potentially emptying the inventory of bogus emails, and most importantly making it more time consuming for spammers to abuse Twitter in general. If TweetTornado is indeed the advertising tool of choice for Twitter marketers, I “wonder” why is the originally blurred by the author Twitter account used in the proof (twitter.com/AarensAbritta) currently suspended, the way the rest of the automatically registered ones are? Pretty evident TOS violation, since two updates and 427 followers in two hours clearly indicate that a spammer’s tweeting.
- A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results. This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywordsand using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces. Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them. Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack) Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currentlydetected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.
- Last week, a commercial Twitter spamming tool (tweettornado.com) pitching itself as a “fully automated advertising software for Twitter” hit the market, potentially empowering phishers, spammers, malware authors and everyone in between with the ability to generate bogus Twitter accounts and spread their campaigns across the micro-blogging service. TweetTornado allows users to create unlimited Twitter accounts, add unlimited number of followers, which combined with its ability to automatically update all of bogus accounts through proxy servers with an identical message make it the perfect Twitter spam tool. TweetTornado’s core functionality relies on a simple flaw in Twitter’s new user registration process. Tackling it will not render the tool’s functionality useless, but will at least ruin the efficiency model. Sadly, Twitter doesn’t require you to have a valid email address when registering a new account, so even though a nonexistent@email.com is used, the user is still registered and is allowed to use Twitter. So starting from the basics of requiring a validation by clicking on a link which will only be possible if a valid email is provided could really make an impact in this case, since it its current form the Twitter registration process can be so massively abused that I’m surprised it hasn’t happened yet. Once a Twitter spammer has been detected, the associated, and now legitimate email could be banned from further registrations, potentially emptying the inventory of bogus emails, and most importantly making it more time consuming for spammers to abuse Twitter in general. If TweetTornado is indeed the advertising tool of choice for Twitter marketers, I “wonder” why is the originally blurred by the author Twitter account used in the proof (twitter.com/AarensAbritta) currently suspended, the way the rest of the automatically registered ones are? Pretty evident TOS violation, since two updates and 427 followers in two hours clearly indicate that a spammer’s tweeting.
- A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results. This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywordsand using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces. Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them. Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack) Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currentlydetected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.
- A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results. This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywordsand using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces. Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them. Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack) Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currentlydetected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.
- A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results. This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywordsand using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces. Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them. Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack) Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currentlydetected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.
- A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results. This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywordsand using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces. Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them. Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack) Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currentlydetected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.