Search

Today’s hidden dangers: Social networks under attack

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    Last week, a commercial Twitter spamming tool (tweettornado.com) pitching itself as a “fully automated advertising software for Twitter” hit the market,  potentially empowering phishers, spammers, malware authors and everyone in between with the ability to generate bogus Twitter accounts and spread their campaigns across the micro-blogging service.TweetTornado allows users to create unlimited Twitter accounts, add unlimited number of followers, which combined with its ability to automatically update all of bogus accounts through proxy servers with an identical message make it the perfect Twitter spam tool.TweetTornado’s core functionality relies on a simple flaw in Twitter’s new user registration process. Tackling it will not render the tool’s functionality useless, but will at least ruin the efficiency model. Sadly, Twitter doesn’t require you to have a valid email address when registering a new account, so even though a nonexistent@email.com is used, the user is still registered and is allowed to use Twitter.So starting from the basics of requiring a validation by clicking on a link which will only be possible if a valid email is provided could really make an impact in this case, since it its current form the Twitter registration process can be so massively abused that I’m surprised it hasn’t happened yet. Once a Twitter spammer has been detected, the associated, and now legitimate email could be banned from further registrations, potentially emptying the inventory of bogus emails, and most importantly making it more time consuming for spammers to abuse Twitter in general.If TweetTornado is indeed the advertising tool of choice for Twitter marketers, I “wonder” why is the originally blurred by the author Twitter account used in the proof (twitter.com/AarensAbritta) currently suspended, the way the rest of the automatically registered ones are? Pretty evident TOS violation, since two updates and 427 followers in two hours clearly indicate that a spammer’s tweeting.

    A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results.This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywordsand using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces.  Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them. Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack)Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currentlydetected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.

    Last week, a commercial Twitter spamming tool (tweettornado.com) pitching itself as a “fully automated advertising software for Twitter” hit the market,  potentially empowering phishers, spammers, malware authors and everyone in between with the ability to generate bogus Twitter accounts and spread their campaigns across the micro-blogging service.TweetTornado allows users to create unlimited Twitter accounts, add unlimited number of followers, which combined with its ability to automatically update all of bogus accounts through proxy servers with an identical message make it the perfect Twitter spam tool.TweetTornado’s core functionality relies on a simple flaw in Twitter’s new user registration process. Tackling it will not render the tool’s functionality useless, but will at least ruin the efficiency model. Sadly, Twitter doesn’t require you to have a valid email address when registering a new account, so even though a nonexistent@email.com is used, the user is still registered and is allowed to use Twitter.So starting from the basics of requiring a validation by clicking on a link which will only be possible if a valid email is provided could really make an impact in this case, since it its current form the Twitter registration process can be so massively abused that I’m surprised it hasn’t happened yet. Once a Twitter spammer has been detected, the associated, and now legitimate email could be banned from further registrations, potentially emptying the inventory of bogus emails, and most importantly making it more time consuming for spammers to abuse Twitter in general.If TweetTornado is indeed the advertising tool of choice for Twitter marketers, I “wonder” why is the originally blurred by the author Twitter account used in the proof (twitter.com/AarensAbritta) currently suspended, the way the rest of the automatically registered ones are? Pretty evident TOS violation, since two updates and 427 followers in two hours clearly indicate that a spammer’s tweeting.

    A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results.This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywordsand using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces.  Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them. Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack)Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currentlydetected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.

    A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results.This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywordsand using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces.  Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them. Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack)Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currentlydetected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.

    A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results.This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywordsand using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces.  Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them. Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack)Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currentlydetected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.

    A currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results.This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywordsand using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces.  Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them. Go through related coverage of previous malware campaigns abusing legitimate services - (Spammers targeting Bebo, generate thousands of bogus accounts; Malware and spam attacks exploiting Picasa and ImageShack)Upon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currentlydetected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.

    7 Favorites

    Today’s hidden dangers: Social networks under attack - Presentation Transcript

    1. Today’s hidden dangers: Social networks under attack Ș tefan T ă nase Senior Regional Researcher Kaspersky Lab EEMEA Webstock 2009 – Bucharest, Romania - 18 September 2009
      • Do you believe in superstitions ? I don’t.
      • 911 - emergency phone number
      • Today:
        • 18 September 2009, 18.09.2009, 18.09.09, 18.9.9
        • 1 + 8 = 9
      • Today’s presentation:
        • 11 security incidents that changed the social networking world in 2009. 11 and 09.
      • Social networks: 911
      Overview 18 September 2009 Webstock 2009
    3. LinkedIn – just a starter 18 September 2009 Webstock 2009
        • Massive malware campaign starts targeting LinkedIn
        • Why LinkedIn? Beacause it worked!
        • Blackhat SEO
        • By googling for “ Jessica Alba naked ” or “Keri Russell nude” the user would find the malicious profiles indexed
        • Top 5 in SERPS
      • January 2009 - Bogus LinkedIn profiles serving malware
      • February 2009 – First commercial Twitter spamming tool
        • Tweettornado.com - “ fully automated advertising software for Twitter ”
        • Was empowering phishers, spammers, malware authors and everyone with the ability to generate unlimited Twitter accounts
        • Features: add unlimited number of followers , automatically update all accounts through proxy servers with identical messages
      Twitter spam gets automated 18 September 2009 Webstock 2009
      • April 2009 – Twitter gets hit by XSS worm
        • Multiple variants of the worm were identified
        • Thousands of spam messages containing the word "Mikeyy“ filled the timeline
        • Proof of concept – no malicious intent
        • Author got a job at a web security company
      Comeback of the XSS worm 18 September 2009 Webstock 2009
    6. Comeback of the XSS worm 18 September 2009 Webstock 2009
    7. Social engineering at its best 18 September 2009 Webstock 2009
        • Public information posted to social networks by twitter admin
        • Used by French hacker in social engineering attack
        • To answer Yahoo! Mail security question and reset the password
        • “ Wow - my Yahoo mail account was just hacked. “
        • “ If anyone with Yahoo! Security is out there, hit me up with an reply “
      • April 2009 – Twitter admin panel gets hacked
      • May 2009 – Harvesting email addresses in real time
        • Why search for emails when you can get fresh ones in real time ?
        • http://search.twitter.com/ is the answer!
        • Simple, but effective search queries:
          • “ email me at” + “yahoo.com”
          • “ contact me at” + “gmail.com”
        • Personalized attacks start happening
      What are you doing? Harvesting. 18 September 2009 Webstock 2009
    9. Trendy malware 18 September 2009 Webstock 2009
      • June 2009 – Trending topics start being exploited
    10. Short URLs, big problems 18 September 2009 Webstock 2009
        • The best things about short URLs
          • There are so many!
        • Problems with short URLs:
          • Social engineering is easy
          • Questionable reliability
          • Implicit trust
        • Cli.gs gets hacked , no malicious intent – but what if ?
        • Too many redirects hosted in the same place is not good news
      • June 2009 – URL shortening service Cli.gs gets hacked
      • June 2009 – Guy Kawasaki's Twitter account hijacked
        • Of course, it was used to push malware.
        • Both Windows and Mac malware .
        • 140,000 Twitter users were potential victims.
        • The hook? “sex tape video free download”
      Follow me! Me me me! 18 September 2009 Webstock 2009
    12. The web 2.0 worm 18 September 2009 Webstock 2009
      • June 2009 – Explosive growth of Koobface modifications
        • The number of variants detected jumped from 324 at the end of May to almost 1000 by the end of June 2009
        • This sign of increased cybercriminal activity involving social networks in the past months proves that the strategies being used by the bad guys to infect users are much more efficient when adding the social context to the attacks
    13. The web 2.0 worm 18 September 2009 Webstock 2009
    14. Koobface on the tweet 18 September 2009 Webstock 2009
      • June 2009 – Koobface spreading through Twitter also
        • First discovered one year ago by Kaspersky Lab , Koobface was only targeting Facebook and MySpace users
        • Being constantly “improved” , now spreading through more social networks : Facebook, MySpace, Hi5, Bebo, Tagged, Netlog and most recently… Twitter
    15. One bird and two stones 18 September 2009 Webstock 2009
      • August 2009 – Twitter knocked offline by DDoS attack
        • The morning of August 6 th - Twitter gets hit for an extended period of time
        • Rumors they are facing a massive distributed denial-of-service attack
        • Twitter confirmed the outage in a brief status message
        • Service was restored gradually , first in the US, then the rest of the world
        • Problems with the API lasted several days
    16. That’s it? 18 September 2009 Webstock 2009
    17. What’s next? 18 September 2009 Webstock 2009
      • It is just the beginning
      • Attack techniques exploiting social networks will continue to grow
      • Social networks will open up new ways for targeted attacks against individuals
      • It will be very hard for social networks to do better : their business means usability, not security
      • Be careful out there !
    18. Thank you! stefant @kaspersky. ro twitter.com/ stefant Ș tefan T ă nase Webstock 2009 - Bucharest, Romania - 18 September 2009 Senior Regional Researcher Kaspersky Lab EEMEA

    + Stefan TanaseStefan Tanase, 2 months ago

    custom

    1565 views, 7 favs, 8 embeds more stats

    A timeline of security incidents on social networks more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 1565
      • 1521 on SlideShare
      • 44 from embeds
    • Comments 0
    • Favorites 7
    • Downloads 48
    Most viewed embeds
    • 18 views on http://www.tudormoldovan.com
    • 11 views on http://www.golaniajay.com
    • 10 views on http://www.slideshare.net
    • 1 views on http://www.mybyte.co.za
    • 1 views on file://

    more

    All embeds
    • 18 views on http://www.tudormoldovan.com
    • 11 views on http://www.golaniajay.com
    • 10 views on http://www.slideshare.net
    • 1 views on http://www.mybyte.co.za
    • 1 views on file://
    • 1 views on http://192.168.0.66:2009
    • 1 views on http://the-refreshing-sip.blogspot.com
    • 1 views on http://www.apprentice.ro

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    more
    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved