Social networks’ role in the growth of the global virtual society has been well documented. What is not so well documented according to Help Net Security is the role social media has in spreading malware. The security and privacy mechanisms of social networking firms such as LinkedIn (LNKD), Twitter, and Facebook (FB) have proven insufficient to prevent exploitation.
The article notes that “To Err is Human,” and human errors lead to exploitation and manipulation whether the social network is online or offline. Social media hold a plethora of personal information on the users that create the network. Individual connections between users collectively form a web of connections. To build each link between users an implicit trust is required between the two users and implicitly across the entire network. Any information provided by an individual user through chained connections becomes a part of the full network. When an attacker is able to exploit one user in the social network, they have the potential to be able to push malicious content into the network. The network’s connectivity enables the spread of exploitation. The blog explains that attackers exploit the weakest link in the chain.
The inability of users to determine the legitimacy of content flowing through the social media helps this exploitation process. Help Net Security says the biggest problem with online social networks is that they do not have built-in protection against malware. For example, current social networks do not scan the URLs and embedded content coming from third-party servers such as Content Delivery Networks. Therefore, there is no way to authenticate the URLs passed among the user objects in the social networks.
The infection process begins with the exploitation of human ignorance and followed by the spreading of the malware through the trust upon which the network is based.
The article further explains that to start the exploitation process, an attacker will pick an issue that affects human emotions to evoke a response so the social network user will do something the attacker wishes. Phishing and spam messages about weather calamities, politics, and financial transactions are used for starting infections. The author states that since social network exploitation begins by exploiting an individual’s ignorance common attack strategies have emerged.
One of the simplest infection techniques is to put malicious URLs on a user’s Facebook message wall. When a user clicks on an illegitimate hyperlink it can result in the automatic download of malware through the browser. Some of the exploits used are:
- Browser Exploit Packs (BEP) fingerprint the browser version and other software on the user machine. Based on this information, a suitable malware is served to the user which uses exploits for that particular browser.
- Drive-by-Download attacks begin by visiting a malicious
page. They exploit vulnerabilities in browsers and plugins. Successful exploitation of the vulnerability causes a shellcode to run that in turn downloads the malware into the system. - Malicious advertisements (malvertisements) happen when an attacker injects a malicious link into a user’s Facebook wall to spread malware. The fake post is linked to a third-party website that has malicious advertisements embedded in it. These advertisements are linked to malicious JavaScripts which execute the malicious content in the browser.
Help Net Security states that online social media is not harnessing the power of Safe Browsing API’s from Google (GOOG) or similar services to instantiate a verification procedure before posting a URL back to a user profile. Lack of such basic protections is a key factor in making the social networks vulnerable to exploitation.
Microsoft (MSFT) recently spotted a Facebook attack in the wild that exploited Facebook user’s trust in a social engineering campaign. The attack tries to trick Facebook users into installing a backdoor Trojan with keylogging capabilities according to the Help Net Security report.
MSFT says the Facebook Wall messages varied but they all lead to fake YouTube pages. Once there, the user is urged to download a new version of “Video Embed ActiveX Object” to play the video file. Unfortunately, the offered setup.exe file is the Caphaw Trojan.
The trojan bypasses firewalls, installs an FTP and a proxy server, and a key logger on the affected machine. Microsoft’s Mihai Calota says ” … has built-in remote desktop functionality based on the open-source VNC project.” MSFT says the Facebook attack can be used to steal money, “We received a report .. that money had been transferred from his bank account … The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.”
rb-
The articles correctly state that security and privacy mechanisms are indispensable for safe online social networking. Built-in security is necessary because attackers exploit the trust, curiosity, and ignorance of the social network customers to their own profit. Users should demand safe and secure transmission of the information and the user’s privacy. These should also be a focus of the social networking companies.
To protect themselves, users should:
Have up to date AV software running on their computers- Keep their browsers and operating systems fully patched
- Change the passwords on all their sensitive accounts regularly
- Warn friends and Facebook if an account seems to be hacked by using the Facebook “report/mark message as spam” option.
Related articles
- Facebook denies malware risk from message bug (go.theregister.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
In one of the most 
1. 
