Sie sind auf Seite 1von 25

Social Media Cybercrime Case Study: Facebook and Koobface

And similar social media scams, malware and viruses


Ali Almossawi Ioannis Kyratzoglou

ESD.341 Dec 6, 2011

Agenda

Why social networks are an attackers dream Why social media cant be ignored Focusing on Facebook Taking a look at Koobface In the end, what are we to do?

Why social networks are an attackers dream

An attractive distribution channel due to size and diversity


Facebook: 800 million users LinkedIn: 120 million users Twitter: 180 million accounts

Contain a wealth of potentially private or libelous information

People post pictures, their location, likes/dislikes, etc. Company employees may post about corporate records, their professional opinions on things, their views on products, patient information, medical addictions, etc.

Social media threat patterns


Conduct cyber stalking to harass a victim Perform industrial espionage to gain knowledge Collect privacy data to analyze market trends, using that to gain competitive advantage Perform cybercrime, primarily as a means of achieving financial gain, e.g. pay-per-click (PPC) or pay-per-Install Conduct cyber terrorism We will talk about social media malware sources later on

Why social media cant be ignored

It has become an inseparable part of the Web as we currently know it (Web 2.0 if you will) Users receive real-time information from friends and family, get viewpoints, articles, share group information, etc. Corporations build brand name, customer following, share product info, etc.

Lets take a look at Facebook

800 million+ active users More than 50% of active users log on in any given day Average user has 130 friends Average user is connected to 80 community pages, groups and events Every month, more than 500 million people use an app on Facebook or experience Facebook Platform on other websites

www.facebook.com/press/info.php?statistics

Social media attacks

Lightweight attacks Click-jacking Various other social engineering strategies Sophisticated attacks Koobface

Click-jacking

When an app updates your status or posts a link on your wall on your behalf It not only can post on your wall, but also in groups that you administer How does it work?

Click image to load video

Click-jacking: one use-case

From BitDefenders Social Media Scams Infographic

Click-jacking: the baits

34.7% of app baits are profile traffic insights


See who viewed your profile See who deleted you

The See who viewed your profile bait


Spread through 286 unique URLs per wave, which Led to 14 unique FaceBook apps It gathered around 1.5 million clicks! Distribution spike per URL was 34 hours

16.2% are social game bonuses (e.g. FarmVille, Mafia Wars) 14.7% are shocking images

This girl killed herself after You will never text again after seeing this!!

12.5% are non-existent Facebook features


Who poked me the most Your first ever Facebook status A dislike button

8.4% are versions of famous games (Super Mario World, World of Warcraft, etc)

Data from BitDefender: http://www.bitdefender.com/files/Main/img/BitDefender-InfoGraphic_Facebook.jpg

Click-jacking: some more data

Most frequently used words WOW, Profile, OMG, girl, killed, viewed, stalker, video, busted, crying, stripping, farmville, etc. Busiest scam-clicking countries* 1. USA 2. India 3. UK 4. Canada 5. Australia

* Then again, all five are among the top 20 countries with FaceBook users

Other social engineering strategies used

Black Hat World

Other social engineering strategies used

The Brazilian company, Olla Condoms, created fake profiles by basing them on actual male profile name, with Jr. added They then sent friend requests fro, say, John Jr. Smith to John Smith After John Smith break[s] out in a cold sweat and click[s] through, they'll go limp in relief to discover they've been duped Then, Olla assuredly hopes, they'll dash off to the pharmacy to stock up on baby-prevention supplies

Sophos.com, Condom ad poses as Facebook friend request from your fetus, December 5, 2011

Other social engineering strategies used

The article that Abel sent us last week: How to friend anyone in 24 hours You clone a profile of an actual person Then friend their friends Then potentially take over the target account using FBs 3 trusted friends password recovery feature

1.

2.

3.

arstechnica.com, Researcher shows how to "friend" anyone on Facebook within 24 hours, Dec 1, 2011

The case study: Koobface on Facebook


Description Use-case Mechanism of the attack Focus of the attack Support infrastructure Monetization Challenges

Description

Koobface is a worm that primarily targets Facebook, but also other social media sites. Its goal is to gather login information for purposes of building a peer-to-peer botnet Originally appeared in May 2008 There have been 136 versions of it to date The Infowar Monitor says that its operators live in St. Petersburg, Russia The Koobface botnet is made up of 400,000 to 800,000 PCs worldwide (Kaspersky Labs) Other popular malware: Boonana, Bugat

The Risks of Social Media and What Can Be Done to Manage Them, Osterman Research, Attacker That Sharpened Facebooks Defenses, NYTimes.com

Use-case
Friend posts update on FB You click on the link in the update Youre redirected to a website run by Koobface Video cant load, download latest version of Flash You actually download/ install the malware

Koobface then gathers login information and sends them back to its servers It downloads a DNS filter that blocks access to well-known security websites Websites visited through Google may be replaced with fake websites (monetization strategy) It can post as users on Facebook, create accounts on Facebook, etc. (propagation strategy)

Mechanism and focus of the attack

A set of social engineering tactics


Click-jacking Redirection Product scams

The focus of the attack, as previously alluded to, is primarily Facebooks 800 million+ users

Information flow and infrastructure


Command and Control

Offis (Test new Releases)

Install Tracker Server

8 5

Mothership (fraud services)

Zombie Proxies

Landing Pages

Drop Zone

Monitor and Counter measures

PPI/PPC Generation Income Generation Affiliates dB

3 10

2 6

Compromised Users

Compromised Users

7
Paymer

Webmoney

User 1

User 1

User 1

User 1

Monetization

The Koobface mothership maintains daily records of the money earned from affiliate relationships The daily total for the last seven days is sent to four Russian mobile phone numbers daily From June 23, 2009 to June 10, 2010 Koobface earned a total income of $2,067,682.69 The daily average income was $5,857.46

Monetization data from Koobface: Inside a Crimeware Network, Infowar Monitor

Monetization affiliates

Challenges

For malware, Botnet operators leverage geography to their advantage, often exploiting Internet users from all countries but their own. While the total amount of criminal activity that the botnet operators engage in may be significant, the distribution of that criminal activity across multiple jurisdictions means that the criminal activity in any one jurisdiction is minimal. Botnet operators leverage Internet infrastructure around the world, making it difficult to interfere with their operations.

From Koobface: Inside a Crimeware Network, Infowar Monitor

Conclusion

These scams and malwares play on peoples natural tendency towards curiosity and take advantage of peoples trust in their friends

e.g. you might say: John isnt usually into this kind of thing, let me see why he liked it People who wouldnt otherwise be tricked by a scam online, might fall for one if they see that one of their friends has liked it

Of all Facebook users worldwide, around 65% are between 13 and 29

Perhaps more vivid education is called for

So what do we do?

Persistent monitoring by law enforcement and greater collaboration between them Better corporate policies to mitigate the risks of malware and viruses from social media As a user, be cynical. Subscribe to social media monitors like Sophos (they have a Facebook page) Facebook has a Chief Security Officer and a dedicated Security page: www.facebook.com/security

Das könnte Ihnen auch gefallen