Rise of the Autobots: Into the Underground of Social Network Bots

Rise of the Autobots Into the Underground of Social Network Bots

Hi! I’m not a bot • Tom Eston • Social Media Security Researcher • Pentester • Bot lover • Blog: spylogic.net • Podcast: securityjustice.com • Tweet me: agent0x0

WARNING! What you are about to see violates the Terms of Service (TOS) and acceptable use policies of social networks! Accounts used in these tests have been deleted or “removed” (not by me...) Don't try this at home! KTHKSBAI

Social Networks

200 Million Users

110 Million Users

35 Million Users

Grew 752% in 2008

8 Million Visitors in March 2009

quot;Social Networks & Blogs are now the 4th most popular online activity, ahead of personal email.quot; -Nielsen Online Report, March 2009

It’s a target rich environment...

The Culture of Trust

Why is trust important? • It’s how social networks work! • Trust EVERYONE! • Share as much as possible...the social networks don’t mind! • Social networks are mining your data!

Trust exploited by Bots??

Bot or Not?

BOT!! Bot or Not?

Bot or Not?

BOT!! Bot or Not?

Bot or Not?

BOT!! Bot or Not?

Bot or Not?

Not a Bot!

Not a Bot! But still... LOTS OF FAIL!

Bot or Not?

BOT!! Bot or Not?

Biggest Rick Roll ever?

What’s the point? • Trust is easy to exploit! • People will trust bots... • Accounts were created and used with tools we will talk about • Rick Astley is EVIL!

The Rise of the Bots

What are bots? “...perform tasks that are both simple and structurally repetitive at a much higher rate than a human alone.” “Applications that run automated tasks”

Ever see this?

Why use Bots? • Automation...on a mass scale • Easy to use • Multiple purpose • Malware, Blackhat SEO, phishing...pr0n! • Highly Effective

The Bot Underground

“It’s the “Spammers Choice!”

The Underground Business Model • Create and Sell accounts • Buy and Use accounts • Custom bot scripts and software (Freelancing)

It’s all about Blackhat SEO... • Not just for search engine rankings! • Evil Search Engine Optimization techniques... • PPC (Pay Per Click) • PPI (Pay Per Install) • Cookie Stuffing How money is made on the “net”

Want to know more?

What’s for Sale? • Hacked accounts • Hacked accounts w/friends (more friends, more $$) • Webmail accounts (verified) • Bot software/scripts • Services!

Example...

Let’s talk $$ • Facebook w/30+ Friends = $8 • Facebook Phone Verified = $5/$6 • 1,000 Gmail Accounts = $13 • 500 YouTube Accounts = $30

But there are controls in place, right?

What about CAPTCHA?

CAPTCHA=FAIL • Algorithms can be cracked • OCR technology • They have hawt chix • and if that doesn’t work...

OUTSOURCE IT!

OR...use Melissa! She wants you..srsly

What about Friend Request/ Messaging Controls...

Phone SMS Verification? • Great idea! But...can be broken..

It kind of works, but... • Prepaid cell phones • Overseas virtual SMS Services (SMS Receive) • SMS back to ICQ and Yahoo Messenger (works with some socnets)

How about rate Limits? • Easy to bypass...just test it, modify your code and/or slow down!

Types of Bots on Social Networks

Good Bots

Twitter Bots

n0taB0t • Tweets mindless rants.... • Likes to reply to you • Likes Notacon • Mostly harmless

Annoying Bots

Auto Follow/ Reply • Bots looking for “keywords” in your tweets...

Evil Bots

U-Bot in Action

Webdominator

Webdominator in Action

Need help?

Other Pay Services

Realboy • Project to make Twitter bots as human as possible! • Real interactions with your Twitter network • Source code available...

Social Network Botnets? • Malware distribution for C&C • Koobface! • DDos botnet via third-party applications • Facebot! • Control a botnet via Twitter?

Twitter for Botnet C&C • Bot looks for commands on legitimate Twitter accounts • Takes action based on the command • Commands are obfuscated • Proof of Concept code released today at Notacon! • “TwitterBot” created by Robin Wood aka: @digininja

Twitterbot C&C In Action

TwitterBot Enhancements • add a hash (or part of) to the command to stop fake requests • encrypt the whole command (obfuscation) • get the bot to talk back Get it now at: http://www.digininja.org/twitterbot/

Is the end near? How to stop the bots!

Bot detection • Look carefully! • Lots of clues..spammer s are doing it wrong! • Programs/API’s to detect (Twitter specific)

Some possible solutions... • Account creation/message throttling • Why can you still create multiple accounts from the same IP?? WTF? • No more opt-in developer models! • Education of users? We can try...the socnets won’t!

But wait...there’s more! • socialnetworkbots.com • open source project • Twitter and other bots (n0tab0t).... • get the code...don’t use your real account! • Twitterbot Command & Control POC Code: www.digininja.org/twitterbot

Questions?

http://socialmediasecurity.com	363
http://www.future-web-net.com	56
http://www.slideshare.net	18
http://translate.googleusercontent.com	1

Rise of the Autobots: Into the Underground of Social Network Bots

by Tom Eston on Apr 20, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

4 Embeds 438

Statistics

Rise of the Autobots: Into the Underground of Social Network Bots — Presentation Transcript