Scammers Use Social Networks for Increased Effectiveness

Published: 2007-05-16. Last Updated: 2007-05-16 20:55:43 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
In an insightful interview captured on the ha.ckers.org site, a phisher emphasizes the benefits of targeting users of social networking sites such as MySpace and Facebook, LinkedIn, and so on. He claims that his efforts yield him $3,000-$4,000 per day. (If you have any data supporting or refuting this figure, please let us know.)

The phisher's money-making activities involve the following actions:
  • Capturing logon credentials via a fake social networking site that resembles the one being spoofed.
  • Using captured contact information or compromised accounts to send advertising, profiting from Cost Per Action (CPA) deals.
  • Accessing the victim's email accounts using captured logon credentials. (Most people use the same credentials on multiple sites.)
  • Using compromised email accounts to gain access to commercial sites such as PayPal, E-gold, eBay and selling access to these accounts.
Why focus on users of social networking sites? Because social networks provide a trusting context within which the victims will be more likely to take the phisher's bait. Ultimately, this means that the phisher's activities will yield higher profits.

One such campaign was made public in February, when MySpace sued Scott Richter for allegedly compromising MySpace accounts via phishing schemes and then using MySpace to send unsolicited messages to the victim's friends advertising Polo shirts, ringtones, and other products.

According to an Indiana University study, 72% of individuals who received phishing messages spoofed to come from their social network acquaintances were fooled. In contrast, only 15% of the recipients were fooled when the messages came from an unknown party. Clearly, scammers have a strong incentive to data-mine social networks when crafting phishing campaigns. As I mentioned in a diary a while back, social networking sites have a small neighborhood feel that makes the participants comfortable with revealing personal details that make attacks more effective.

The inclusion of personal details in phishing messages seems to be on the rise. For instance, MesssageLabs observed an increase in the number of phishing messages that include personal details, such as names, addresses and zip codes. This data can be harvested from social networking sites with relative ease with website crawlers or website worms, such as those that have targeted MySpace and Orkut.

An attacker wishing to use a social network for a targeted attack can gain access to profile information with relative ease even without compromising accounts. In a study conducted by CSIS Security Group, a researcher set up a test account in LinkedIn, and specified in the profile that he worked at the large company he selected as the target for the case study. He was able to use the account to connect to other LinkedIn users from the same company, and even received unsolicited invitations from the employees to link to them. In less than 2 weeks, he was able to build a substantial network with email addresses, names, and other information about companies he could target for a subsequent attack.

According to a CA/NCSA study, 73% of adults who use social networking sites have given out personal information such as email address, name and birthday. Apparently, some even provided their social security number. Almost half of the respondents chose not to restrict access to their profile, even though they knew how to do that.

What can you do to mitigate the risks of social networks being used to aid in an attack against you or your organization? We're open to suggestions, but here are a few ideas that come to mind:
  • Limit the information you make available in profiles on social networking sites.
  • Restrict who can view your profile to the individuals you trust.
  • Only accept "let's connect" invitations from people you trust to see your profile information.
  • Educate users in your organization about the risks of using social networking sites promiscuously.
  • Create enforceable policies in your organization governing the use of social networking sites. (Sometimes a bit of guidance can go a long way.)

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com
Keywords:
0 comment(s)

People Will Click On Anything

Published: 2007-05-16. Last Updated: 2007-05-16 19:20:52 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
Didier Stevens documented an interesting experiment, in which he purchased a Google ad that encouraged people to click on the ad to be infected. (Thanks for the pointer, Johannes!) Didier was curious to see how many people would actually click. More than you might think. It turns out, the "ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%." Not bad at all, considering that the campaign cost around $23.

The ad said:
Drive-By Download
Is your PC virus-free?
Get it infected here!
Enticing potential victims via ads to visit a site that turns out to be malicious is  a popular attack vector. Exploit Prevention Labs documented one such example a few weeks ago, where a Google ad that seemed to advertise the Better Business Bureau took the victim to a malicious site before forwarding him or her to the actual BBB website. The malicious site used "a modified MDAC exploit to try to install a backdoor" and a keylogger on the victim's system.

Another example comes from Google's research paper that describes a malicious ad found on a video sharing site in December 2006. The page included a banner ad from a "large American advertising company. The advertisement was delivered in form of a single line of JavaScript that generated JavaScript to be fetched from another large American advertising company. This JavaScript in turn generated more JavaScript pointing to a smaller American advertising company..." The ad "resulted in a single line of HTML containing an iframe pointing to a Russian advertising company. When trying to retrieve the iframe, the browser got redirected, via a Location header" that directed the browser to retrieve malicious JavaScript.

Perhaps there is no need for attackers to create advanced redirection chains or elaborate deception schemes. As Didier Stevens' experiment confirmed, people will click on anything.


-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com
Keywords:
0 comment(s)

Comments


Diary Archives