2. Agenda
• Will not talk about content related issues
• Social Media from the perspective of the adversaries
• Examples from the past
2
3. Perspective
• Security Incident Response / CERTs/CSIRTs
• Dealing with
– Malware Spread
– Data Breach
– Social Engineering
– Fraud and Scams
• Are attackers taking advantage of the Social Media
Platform?
– What was the platform used before current generation of social
media networks?
3
4. Malware Command & Control (2009)
5
Src: https://www.secureworks.com/blog/twitter-based-botnet-command-and-control
6. CyberCrime Koobface (2008)
• Tricks users into installing malware
(use short URLs)
• Made use of social media network to
(Twitter, Bebo, Facebook, Hi5,
Friendster, MySpace, etc)
• Exploits users trust – 400k – 800k
infection
• Criminals able to monetize (pay-per-
install, pay-per-click). Earned over
USD 2 Million between June 2009-
2010
7
7. Puppy-RAT Campaign (2017)
• Social Engineering - Use of ”fake profile”
• Accounts on popular Social Media sites
(LinkedIn, FB, Blogger)
• Targeted Attack – identify and interact with
victims
– ‘trust building’ before sending malicious documents
• Fake personas used in conjunction with Emails
8
Source: https://www.secureworks.com/research/the-curious-case-of-mia-ash
8. Operation Strikeback (Interpol 2014)
• Interpol coordinated operation
targeting organized crime networks
behind sextortion cases
• Call centres with agents
• Demand between USD 500 –
15000
• Many victims globally including in
the AP region
• Victim targeting via social media
9
https://www.interpol.int/News-and-media/News/2014/N2014-075
9. Pre-ATT&CK
• Q: How is the adversary targeting you?
• A: Conduct social engineering (Information about Organisation, People,
Technical)
• Definition: Social Engineering is the practice of manipulating people in
order to get them to divulge information or take an action.
• Easy for the Adversary: Yes)
– Explanation: Very effective technique for the adversary that does not require any
formal training and relies upon finding just one person who exhibits poor judgement.
• Detectable by Common Defenses (Yes/No/Partial): No
• Explanation: No technical means to detect an adversary collecting
information about a target. Any detection would be based upon strong
OPSEC policy implementation
ATT&CK : https://attack.mitre.org/
10
10. Conclusion
• Attackers make use of Social Media platform
– Default Allow, 24x7 Infrastructure
– Watering Hole
– Exploit Trust Relationships
– Different Types of Devices (Phones & Laptops)
– Targeted Profiling
• Controls:
– Social Media Providers
– User Awareness (Threats & Best Practices)
– Endpoints / Network Controls
• Challenges
– Investigation
– Information Sharing
11