In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at DEFCON 17. This presentation will further examine the risks of social networks and then present new techniques and tools that can be used to exploit these issues. This presentation begins by discussing new twists on existing privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses social network botnets and bot programs. Both the delivery of malware through social networks and the use of these social networks as command and control channels will be examined. Tom, Kevin and Robin next explore the use of browser-based bots and their delivery through custom social network applications and show new ways social network applications can be used for malware delivery. Finally, the information available through the social network APIs is explored using third-party applications designed for penetration testing. This allows for complete coverage of the targets and their information. This was presented at Shmoocon 2010 on February 6, 2010.
37. Still easy to exploit trust!
• More difficult to tell a bot from a real
account
• Accounts are easy to create
• Socnet User Verification = FAIL
• Twitter “Verified” Accounts?
• Connections based on other “friends”
39. New Facebook Privacy
Settings
• Your info is even more open!
• Your Name, Profile Picture, Gender, Current
City, Networks, Friend List, and Pages are all
public
• “Suggested” settings are set to EVERYONE
• Zuckerburg says users don’t want privacy...
55. How do pen testers and
attackers use this?
Thank you Social Networks!
56. Wealth of recon
information!
• Socnet Search Engines
• Maltego (Twitter and Facebook)
• Google Hacks
• site:facebook.com inurl:group (bofa | "bank of america")
• Manual Searching
• Status Updates
• Real Time Search
59. Koobface Evolving
• Still the #1 socnet
worm
• Targets all major
socnets
• Socnet chat vectors
• Now with CAPTCHA
• Adobe/IE 0day, Zeus
Trojans FTL
*Screen shots via McAfee Labs/PandaLabs
61. Months of Bugs!
• July 2009 - Month of Twitter Bugs (Aviv Raff)
• September 2009 - Month of Facebook Bugs
(theharmonyguy)
• Vulnerabilities affecting over 9,700 Facebook
applications
• Over half of vuln apps had passed the Facebook
“Verified” Application program
• Six of the hacked applications in the “Top
10” (Farmville and Causes!)
• Most could be used with ClickJacking to install
62.
63.
64.
65. More than 218 million Facebook users
were vulnerable!
68. More Evil Twitter Bots
• Bots that pull
trending
topics...post
malware links
• Used recently to
promote warez like
pirated movies
• Easy to code.
Twitter API FTW
69. Better Automated Tools
• Tools are getting more reliable
• CAPTCHA bypass built in, able to off load to
outsourced solution
• Automated tools are cheap!
Why roll your own?
(or get it for free via Torrent!)
83. SocNet APIs
• Social network
APIs provide a
wealth of
information
• All the big ones
offer them
• Some play
catch up
• We get to play
with these APIs
84. Im'ma Let You Finish
• New front end for
Social Butterfly
• KanyeWestify
allows us to
update your wall
86. So what did we do?
• Using the API, we grabbed the user's
information
• And their Friends' data
• In this version we used the FQL
queries from theHarmonyGuy
• Full backup of your account
• We also used JS to brute force
browser history
• We can map visited pages to user's
of Facebook!
• Marketing FTW!