A STUDY OF MALICIOUSATTACKS ON FACEBOOK Maria Patricia M. Revilla Commtouch, Philippines October 2011 Copyright is held by Virus Bulletin Ltd, but made available on this site for personal use free of charge by permission of Virus Bulletin (http://www.virusbtn.com).
A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA A STUDY OF MALICIOUS The popularity, number of subscribers, and level of activity have made Facebook an attractive tool for attackers who use ATTACKS ON FACEBOOK social engineering in order to spread malicious content or earn Maria Patricia M. Revilla money unethically. Over the years, social engineering has been Commtouch, Philippines enormously effective as it succeeds in convincing users to unknowingly act in the interests of cybercriminals. Spam and email scams have been used to deceive users, for example, Email Patriciar@commtouch.com offering seemingly legitimate employment, while putting victims to work as money mules who unwittingly help launder stolen funds. It has also been used as a tool to start and forceABSTRACT the spread of worms by including attachments disguised as normal documents.Social networking sites have, beyond doubt, made it intotoday’s popular culture. They have apparently become the The use of fake ﬁle icons such as those used for Windowsprimary resource for the masses when it comes to socializing folders, Word documents, text ﬁles, media ﬁles and others are afor the sole reason that they generally measure up to what the subtle form of social engineering, letting users think that amodern populace claim to demand – something fast, easy and malicious application is just a normal document. Instantaccessible. Facebook is a perfect example. messages on Yahoo! or MSN use convincing phrases promising must-see pictures or videos to trick users into clicking maliciousFacebook has become undeniably popular. With 600 million links that may point to phishing sites or rogue software. Rogueusers to date, it could be considered to be the most widely software or fake anti-virus products are themselves a form ofused social networking site in the last decade. People patronize social engineering. By scaring users with ‘detected’ malware,Facebook for its simple, but rather functional features, which they convince them to pay for products that they believe willrange from public messaging through wall posts and private actually help them remove the ‘infection’. Sophisticated socialmessaging, to sharing photos, videos and URL links, to engineering attacks use emotion and human desires to trickgaming, and even marketing and advertisements. It even users. Protecting users from themselves is a tough job and it ismakes a good online outlet for thoughts in the form of ‘status something that a computer cannot really do.updates’ which can be changed as often as one wishes. In 2008, the Koobface worm spread through social networks,With its popularity and effectiveness, Facebook has also including Facebook (where its name came from). It may bebecome a hot spot for attackers. Over the years, social considered to be one of the most successful worms as newengineering has been reported to effectively spread malicious variants are still being encountered – over 20,000 variants programs which are hard to prevent, especially granted that by April 2011. Aside from the Koobface worm, there havethey are designed to trick human thinking. been other forms of attacks – clickjacking, phishing, spams,This paper will seek to study the social engineering attacks scam messages, links to rogue applications, and others thatthat have been identiﬁed to spread malware through Facebook. help cybercriminals earn money. It is certainly alarming to seeBy tracking down the distribution methods/mechanisms for how these forms of attack have increased.spreading malware, and the current preventive and defensive Based on the number of active users and activities performedmeasures, this paper aims to give an insight into the challenges by Facebook users, it is clear that Facebook has become anthat are being faced in terms of protecting users. effective social networking site with people beneﬁting from its integrated functionality such as photos and messaging. At theINTRODUCTION same time, attackers have successfully taken advantage of this functionality to turn Facebook into a channel for spreadingFacebook has become enormously popular, reaching over 600 malicious content. Even a small percentage of compromisedmillion users to date . Users have increasingly integrated users would equal a large attack base given the number ofsocial networks into their lives, spending a reported 700 active users on the site.billion minutes per month on Facebook . Every 20 minutesapproximately 24,857,000 actions are performed which may Security companies have developed tools and have improvedbe broken down into: scanners to detect and prevent intrusion of malicious programs. Solutions range from single ﬁle detection to generic and heuristic detections, and even cloud-based technologies. 10,208,000 comments made As these protection technologies have improved, attacks have 2,716,000 photos uploaded grown more sophisticated in an attempt to evade new and existing security measures. Attackers usually take advantage 2,716,000 messages sent of commonly used software and/or popular sites combining 1,972,000 friend requests accepted social engineering with exploits of vulnerabilities in programs like Adobe Reader or Internet Explorer. Our observation is 1,851,000 status updates that attackers have achieved the most success in bypassing 1,587,000 wall posts security measures by employing sophisticated social engineering methods. 1,484,000 event invites This paper will focus on analysing social engineering attacks 1,323,000 tagged photos on Facebook and will try to present the preventive measures 1,000,000 links shared the industry has provided to users, defensive measures/tools that are available for users, and the challenges faced in Table 1: Facebook activity statistics onlineschools.org . preventing users from becoming victims. VIRUS BULLETIN CONFERENCE OCTOBER 2011 1
A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA Following the links leads to the sites shown in Figures 16 and 17, enticing users by promising results as well as a discount when they buy the product. Figure 11: Resulting post made by the spam code.Money-mule and credit card scamsMoney-mule scams have also made their way into Facebook.As with other platforms, scammers attract people withpromises of easy money. Money-mule recruitment usuallystarts with Facebook groups (which can be started by any Figure 16: Scam post advertisement sample (1).Facebook user). These groups often attract large followingsbecause people do not know what they are getting into .Other frauds have also appeared, such as credit card scams.These start with messages designed to attract users byproposing ‘money-making jobs’, or books about ‘how to earnbig money’, ‘how to win the Lotto’, or ‘guides on how to beattractive’. The example in Figures 12 and 13 shows the ﬁrstpart of such an attack using an ‘easy money making’Facebook group. Some of the posts on the group’s wall areproducts being sold, relating to books for winning the Lottoor attracting women (Figures 14 and 15). Figure 17: Scam post advertisement sample (2). Once a user accepts the offer, the payment is made via a credit card transaction as shown in Figures 18 and 19. Figure 12: Scam group page sample (1). Figure 13: Scam group page sample (2). Figure 18: Payment scam sample (1). Figure 14: Scam post sample (1). Figure 15: Scam post sample (2). Figure 19: Payment scam sample (2). VIRUS BULLETIN CONFERENCE OCTOBER 2011 5
A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA The site ‘complaintsboard.com’ shows that the site seems to be a fraud or a scam (Figure 20). Figure 23: Facebook lottery email scam. Figure 20: Complaintsboard complaint comments. Fake email notiﬁcations – more scam, spam and malware attachments Spammers promoting pharmaceutical products have also used Facebook as an opportunity. Fake Facebook email Figure 24: Fake Facebook email password notiﬁcation (1). notiﬁcations trick users into clicking links leading to online pharmacy sites . An example of a fake email notiﬁcation is shown in Figure 21. Figure 21: Fake Facebook email notiﬁcation leading to online pharmacy site. Figure 25: Fake Facebook email password notiﬁcation (2). Following the link leads to the pharmaceutical store page shown in Figure 22. Figure 22: Pharmaceutical store page. Lottery scams have also been very common, using fake email notiﬁcations describing surprise lottery wins such as the ‘Facebook Africa Jackpot Promo’ shown in Figure 23 . Figure 26: Fake Facebook email password notiﬁcation (3).6 VIRUS BULLETIN CONFERENCE OCTOBER 2011
A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLAThe email has all the signs of an advance fee fraud scam,promising a huge sum of money, requesting detailed personalinformation, and requiring secrecy.Malware writers have also taken advantage of fake Facebookemail notiﬁcations. Emails include subjects relating to:‘Facebook Abuse Department’, ‘Facebook Security’, andothers (Figure 24).In the examples shown in Figures 25 and 26, variants of themalware detected as Oﬁcla (aka Bredolab) are sent asattachments with the email describing a password reset due tospam. Subjects include, ‘Spam from your account’.The attachment names include: ‘Attached_SecurityCode.exe’, Figure 30: Facebook phishing sites statistics.‘Facebook_DOCUMENT.EXE’ and ‘Facebook_PASSWORD.EXE’. These are all malware executables thatuse misleading ﬁle icons in addition to their misleading ﬁle Fake applicationsnames. The use of trusted icons is a common social Many Facebook users enjoy Facebook applications and gamesengineering tactic to trick a user into executing the malware that exist within the social network such as FarmVille andﬁle. Below are examples of the Oﬁcla executables with CityVille, and attackers have also taken advantage of thismisleading ﬁlenames and icons: functionality. The problem with applications on Facebook is that they have the ability to access some or all of the user’s proﬁle information. Rogue applications can therefore post messages on a friend’s wall, send messages, and even extract Figure 27: Oﬁcla attachment ﬁle (1). information from user proﬁles to be used for any malicious purpose. Attackers usually use catchy subjects such as: ‘who viewed your proﬁle’. A further issue is that the veriﬁcation process for application writers is relatively simple. Figure 28: Oﬁcla attachment ﬁle (2). PREVENTIVE MEASURESPhishing Prevention is always better than cure. The trusted networkGenuine Facebook user accounts are very valuable for nature of Facebook has made some cybercrime much easier.cybercriminals since they provide them with access to a On the other hand, Facebook has improved its securitytrusting network of friends. Facebook users have therefore measures and settings to protect its users. These measuresbecome a natural target for phishers. Many fake pages have have included partnerships with security organizations to helpbeen launched (fed from fake email notiﬁcations) in order to improve the site’s security tools. Although these systems aresteal users’ login information. Cybercriminals can then use not perfect, they are worth noting as they do contribute to userthese stolen accounts for many of the malicious purposes security.described in this paper. Attackers have become skilled atmimicking the actual Facebook login page, as in the example Spam, scam and clickjack prevention systemsshown in Figure 29 . Facebook has implemented security checks in order to protect users from phishing attacks. In the example below it was able to detect an attempt to log in from a page outside Facebook. When a user tries to visit a page that does not belong to Facebook, but requires a login to Facebook, the warning message below appears: Figure 29: Facebook phishing page sample.According to PhishTank.com statistics , Facebook hasconsistently been in the 10 top sites targeted by phishing.From September 2009 until March 2011, 11,211 counts of Figure 31: Security notice from a login attempt outsidephishing attempts were recorded (Figure 30). Facebook. VIRUS BULLETIN CONFERENCE OCTOBER 2011 7
A STUDY OF MALICIOUS ATTACKS ON FACEBOOK REVILLA other anti-virus companies can enlighten customers about new threats that are found on the social network. Many of these blogs are very illustrative and informative, allowing users to easily understand, and be aware of the types of threats they might encounter on Facebook. These also provide Figure 38: Facebook HTTPS browsing setting. tips on strengthening security and account settings.Another security tool is the Facebook activity monitor thatenables remote logout. A user can see the latest activities in DEFENSIVE MEASUREShis account by checking the Account Settings which include Facebook generally blocks known malicious content or pagesan indication that the account is active through a different that are reported to it. Facebook reporting tools include linkslocation or device. The screen below shows a single account such as ‘Mark as Spam’ and ‘Report/Block this Person’.signed in on different computers. The user may end any activelogin from a different computer or location that he is not Another defence available to end-users is a locally installedaware of. This is helpful in tracking if someone else is using security product, such as URL and spam ﬁltering software,an account. and an anti-virus product. Anti-virus ﬁrms have also responded to the new threats by ensuring detection of new variants of Facebook worms, Oﬁcla, and the increasing number of malicious scripts used for spamming. At the same time, security groups have created their own Facebook pages for users to view the latest threats including advice about how to remain secure and protected. Several companies have also released software speciﬁcally for Facebook. CONCLUSION As it has gained in popularity Facebook has also been increasingly used for malicious purposes, and its name, functionalities and features have been vastly exploited. The security industry is continually working to keep pace with new cybercriminal tricks on Facebook. In addition, Facebook has taken several steps to protect its users while working with security groups in order improve its defence systems and the security tools on the platform. As shown by the many examples above, attackers employ numerous social engineering tactics to help spread malware, Figure 39: Facebook activity monitor. scams and spam. Indeed, the key security problem with Facebook lies in the trusted nature of friend connectionsFacebook security and safety page which are so easy to exploit with social engineering.Educating users about Internet safety is another important Education of users is therefore a key part of enhancingpreventive measure – particularly since most of the attacks Facebook security.rely on social engineering. The Facebook security pageprovides: ACKNOWLEDGEMENTS • Information such as how to protect a user account, and I would like to express my sincere gratitude to Commtouch how to take action when an account has been VirusLab and to the hands of the people that God used to compromised and used for sending scams or spam. make the completion of this paper possible: Robert • Information about the threats that a user may encounter Sandilands, Rommel Ramos, Avi Turiel, Rebecca Herson, on Facebook and helpful tips to avoid scams, spams, Catherine Lor and Jinky Suarez. And whatsoever ye do, do it hacks and malware that may be spreading on the heartily, as to the Lord, and not unto men; – Colossians 3:23. platform. • A way of reporting a possible security vulnerability REFERENCES allowing Facebook to work on improving security  http://www.socialbakers.com/Facebook-statistics/ measures. ?interval=last-week#chart-intervals. • A safety page that explains Facebook as a community in  http://www.Facebook.com/press/info.php?statistics. which everyone has a shared responsibility of keeping it  http://www.onlineschools.org/blog/Facebook- as a safe environment. This gives an insight for parents, obsession/. teens and teachers who are using Facebook and helps them understand the environment as well.  http://blog.Facebook.com/blog.php?post= 68886667130.Security blogs  http://www.kaspersky.com/news?id=207575670.There continue to be numerous blog posts written about  Commtouch Trend Report 2010 Q4.Facebook threats. Commtouch’s security blog and those of http://www.commtouch.com/download/1934. VIRUS BULLETIN CONFERENCE OCTOBER 2011 9