social media cybercrime case-study: facebook and koobface
DESCRIPTION
A brief survey of social media attacks, scams and malware, focusing on Facebook and KoobfaceIoannis Kyratzoglou, Ali Almossawi for ESD.341TRANSCRIPT
Social Media Cybercrime Case Study: Facebook and Koobface And similar social media scams, malware and viruses
Ali Almossawi Ioannis Kyratzoglou
ESD.341
Dec 6, 2011
Agenda
� Why social networks are an attacker’s dream
� Why social media can’t be ignored
� Focusing on Facebook
� Taking a look at Koobface
� In the end, what are we to do?
Why social networks are an attacker’s dream � An attractive distribution channel due to size and diversity
� Facebook: 800 million users � LinkedIn: 120 million users � Twitter: 180 million accounts
� Contain a wealth of potentially private or libelous information � People post pictures, their location, likes/dislikes, etc.
� Company employees may post about corporate records, their professional opinions on things, their views on products, patient information, medical addictions, etc.
Social media threat patterns � Conduct cyber stalking to harass a victim
� Perform industrial espionage to gain knowledge
� Collect privacy data to analyze market trends, using that to gain competitive advantage
� Perform cybercrime, primarily as a means of achieving financial gain, e.g. pay-per-click (PPC) or pay-per-Install
� Conduct cyber terrorism
� We will talk about social media malware sources later on
Why social media can’t be ignored � It has become an inseparable part of the Web as we
currently know it (Web 2.0 if you will)
� Users receive real-time information from friends and family, get viewpoints, articles, share group information, etc.
� Corporations build brand name, customer following, share product info, etc.
Let’s take a look at Facebook � 800 million+ active users
� More than 50% of active users log on in any given day
� Average user has 130 friends
� Average user is connected to 80 community pages, groups and events
� Every month, more than 500 million people use an app on Facebook or experience Facebook Platform on other websites
www.facebook.com/press/info.php?statistics
Social media attacks � Lightweight attacks
� Click-jacking � Various other social engineering strategies
� Sophisticated attacks � Koobface
Click-jacking � When an app updates your status or posts a link on your wall
on your behalf
� It not only can post on your wall, but also in groups that you administer
� How does it work?
Click image to load video
Click-jacking: one use-case
From BitDefender’s ‘Social Media Scams’ Infographic
Click-jacking: the baits � 34.7% of “app baits” are profile traffic insights
� See who viewed your profile � See who deleted you
� The ‘See who viewed your profile’ bait � Spread through 286 unique URLs per wave, which � Led to 14 unique FaceBook apps � It gathered around 1.5 million clicks! � Distribution spike per URL was 34 hours
� 16.2% are social game bonuses (e.g. FarmVille, Mafia Wars)
� 14.7% are shocking images � This girl killed herself after… � You will never text again after seeing this!!
� 12.5% are non-existent Facebook features � Who poked me the most � Your first ever Facebook status � A dislike button
� 8.4% are versions of famous games (Super Mario World, World of Warcraft, etc)
Data from BitDefender: http://www.bitdefender.com/files/Main/img/BitDefender-InfoGraphic_Facebook.jpg
Click-jacking: some more data � Most frequently used words
� WOW, Profile, OMG, girl, killed, viewed, stalker, video, busted, crying, stripping, farmville, etc.
� Busiest scam-clicking countries* 1. USA 2. India 3. UK 4. Canada 5. Australia
* Then again, all five are among the ‘top 20 countries with FaceBook users’
Other social engineering strategies used
Black Hat World
� The Brazilian company, Olla Condoms, created fake profiles by basing them on actual male profile name, with “Jr.” added
� They then sent friend requests fro, say, John Jr. Smith to John Smith
� After John Smith “break[s] out in a cold sweat and click[s] through, they'll go limp in relief to discover they've been duped”
� “Then, Olla assuredly hopes, they'll dash off to the pharmacy to stock up on baby-prevention supplies”
Sophos.com, ‘Condom ad poses as Facebook friend request from your fetus’, December 5, 2011
Other social engineering strategies used
� The article that Abel sent us last week: ‘How to friend anyone in 24 hours’
1. You clone a profile of an actual person
2. Then friend their friends
3. Then potentially take over the target account using FB’s 3 trusted friends password recovery feature
arstechnica.com, “Researcher shows how to "friend" anyone on Facebook within 24 hours”, Dec 1, 2011
Other social engineering strategies used
The case study: Koobface on Facebook � Description � Use-case � Mechanism of the attack � Focus of the attack � Support infrastructure � Monetization � Challenges
Description
� Koobface is a worm that primarily targets Facebook, but also other social media sites. Its goal is to gather login information for purposes of building a peer-to-peer botnet
� Originally appeared in May 2008
� There have been 136 versions of it to date
� The Infowar Monitor says that its operators live in St. Petersburg, Russia
� The Koobface botnet is made up of 400,000 to 800,000 PCs worldwide (Kaspersky Labs)
� Other popular malware: Boonana, Bugat
The Risks of Social Media and What Can Be Done to Manage Them, Osterman Research, Attacker That Sharpened Facebook’s Defenses, NYTimes.com
Use-case
Friend posts update on
FB
You click on the link
in the update
You’re redirected to a website run by Koobface
‘Video can’t load, download
latest version of
Flash’
You actually
download/install the malware
� Koobface then gathers login information and sends them back to its servers
� It downloads a DNS filter that blocks access to well-known security websites
� Websites visited through Google may be replaced with fake websites (monetization strategy)
� It can post as users on Facebook, create accounts on Facebook, etc. (propagation strategy)
Mechanism and focus of the attack
� A set of social engineering tactics � Click-jacking � Redirection � Product scams
� The focus of the attack, as previously alluded to, is primarily Facebook’s 800 million+ users
Information flow and infrastructure Command
and Control
Offis (Test new Releases)
Install Tracker Server
Mothership (fraud
services)
Zombie Proxies
Landing Pages
Drop Zone Monitor
and Counter
measures
Income Generation Affiliates
dB
User 1 User 1 User 1 User 1
Compromised Users
Compromised Users
1
2
3
4
5
6 7
8
9
10 PPI/PPC
Generation
Paymer
Webmoney
Monetization
� The Koobface mothership maintains daily records of the money earned from affiliate relationships
� The daily total for the last seven days is sent to four Russian mobile phone numbers daily
� From June 23, 2009 to June 10, 2010 Koobface earned a total income of $2,067,682.69
� The daily average income was $5,857.46
Monetization data from ‘Koobface: Inside a Crimeware Network’, Infowar Monitor
Monetization affiliates
Challenges � For malware, Botnet operators leverage geography to
their advantage, often exploiting Internet users from all countries but their own.
� While the total amount of criminal activity that the botnet operators engage in may be significant, the distribution of that criminal activity across multiple jurisdictions means that the criminal activity in any one jurisdiction is minimal.
� Botnet operators leverage Internet infrastructure around the world, making it difficult to interfere with their operations.
From ‘Koobface: Inside a Crimeware Network’, Infowar Monitor
Conclusion � These scams and malwares play on people’s natural
tendency towards curiosity and take advantage of people’s trust in their friends � e.g. you might say: John isn’t usually into this kind of thing, let
me see why he “liked” it
� People who wouldn’t otherwise be tricked by a scam online, might fall for one if they see that one of their friends has “liked” it
� Of all Facebook users worldwide, around 65% are between 13 and 29 � Perhaps more vivid education is called for
So what do we do? � Persistent monitoring by law enforcement and greater
collaboration between them
� Better corporate policies to mitigate the risks of malware and viruses from social media
� As a user, be cynical. Subscribe to social media monitors like Sophos’ (they have a Facebook page)
� Facebook has a Chief Security Officer and a dedicated Security page: www.facebook.com/security