Bach Seat

Social networks’ role in the growth of the global virtual society has been well documented. What is not so well documented according to Help Net Security is the role social networks have in spreading malware. The security and privacy mechanisms of social networking firms such as LinkedIn (LNKD), Twitter and Facebook (FB) have proven insufficient to prevent exploitation.

The article notes that “To Err is Human,” and human errors lead to exploitation and manipulation whether the social network is online or offline. Social networks hold a plethora of personal information on the users that form the network. Individual connections between users collectively form a web of connections. To build each link between users an implicit trust is required between the two users and implicitly across the entire network. Any information provided by an individual user through chained connections becomes a part of the full network. When an attacker is able to exploit one user in the social network, they have the potential to be able to push malicious content into the network. The network’s connectivity enables the spread of the exploitation. The blog explains that attackers exploit the weakest link in the chain.

The inability of users to determine the legitimacy of content flowing through the social network aids this exploitation process. Help Net Security says the biggest problem with the online social networks is that they do not have built-in protection against malware. For example, current social networks do not scan the URL’s and embedded content coming from third-party servers such as Content Delivery Networks. Therefore, there is no way to authenticate the URL’s passed among the user objects in the social networks.

The infection process begins with the exploitation of human ignorance and followed by spreading of the malware through the trust upon which the network is based.

The article further explains that to start the exploitation process, an attacker will pick an issue that affects human emotions to evoke a response so the social network user will do something the attacker wishes. Phishing and spam messages about weather calamities, politics and financial transactions are used for starting infections. The author states that since social network exploitation begins by exploiting an individual’s ignorance common attack strategies have emerged.

One of the simplest infection techniques is to put malicious URLs on a user’s Facebook message wall. When a user clicks on an illegitimate hyperlink it can result in automatic download of malware through the browser. Some of exploits used are:

• Browser Exploit Packs (BEP) which fingerprint the browser version and other software on the user machine. Based on this information, a suitable malware is served to the user which uses exploits for that particular browser.
• Drive-by-Download attacks begin by visiting a malicious page. They exploit vulnerabilities in browsers and plugins. Successful exploitation of the vulnerability causes a shell code to run that in turn downloads the malware into the system.
• Malicious advertisements (malvertisements) happen when an attacker injects a malicious link in a users Facebook wall to spread malware. The fake post is linked to a third-party website which has malicious advertisements embedded in it. These advertisements are linked to malicious JavaScripts which executes the malicious content in the browser.

Help Net Security states that online social networks are not harnessing the power of Safe Browsing API’s from Google (GOOG) or similar services to instantiate a verification procedure before posting a URL back to a user profile. Lack of such basic protections is a key factor in making the social networks vulnerable to exploitation.

Microsoft (MSFT) recently spotted a Facebook attack in the wild that exploited Facebook users trust in a social engineering campaign. The attack tries to trick Facebook users into installing a backdoor Trojan with keylogging capabilities according to the Help Net Security report.

MSFT says the Facebook Wall messages varied but they all lead to fake YouTube pages. Once there, the user is urged to download a new version of “Video Embed ActiveX Object” to play the video file. Unfortunately, the offered setup.exe file is the Caphaw Trojan.

The trojan bypasses firewalls, installs a FTP and a proxy server and a keylogger on the affected machine. Microsoft’s Mihai Calota says ” … has built-in remote desktop functionality based on the open source VNC project.” MSFT says the Facebook attack can be used to steal money, “We received a report .. that money had been transferred from his bank account … The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.”

rb-

The articles correctly state that security and privacy mechanisms are indispensable for safe online social networking. Built-in security is necessary because attackers exploit the trust, curiosity and ignorance of the social network customers to their own profit. User should demand safe and secure transmission of the information and user’s privacy. These should also be a focus of the social networking companies.

To protect themselves, users should:

• Have up to date AV software running on their computers
• Keep their browsers and operating systems fully patched
• Change the passwords on all their sensitive accounts regularly
• Warn friends and Facebook if an account seems to be hacked by using the Facebook “report/mark message as spam” option.

Related articles

• Facebook denies malware risk from message bug (go.theregister.com)
• iYogi Reviews the Top 5 Security Measures for Online Social Networking Users (prweb.com)