With the rise of social engineering malware attacks through social networks, employees have become key actors in the distribution of malicious software (commonly known as malware). Although social engineering has been a long-time real-world threat to businesses, the emergence of social networks created new techniques for its execution process. Social networks which are arguably the biggest technological discoveries since the PCs and mobile phones are huge vectors for malware distribution. Social networks have grown incredibly and are now the most popular communication infrastructure for Internet users. As a major component of Web 2.0 technology, this platform has totally reinvented how internet users create, view and share information; thus, making the establishment of an active online presence a matter of necessity amongst billions of Internet users.
Commonly known as the science and art of human hacking, social engineering malware has become quite popular in recent years given the exponential growth of social networks. In this context, social engineering is the terminology used to describe the art of tricking computer users into executing malicious computing activities without being the wiser. For example, a social engineering victim may be conned into clicking on a link that promises entry into a get-rich-quick scheme but that redirects to a phishing site, where sensitive data such as location, account username and password may be harvested. Social engineering has become more technical and complex; social engineering attacks are being computerized and fully automated and are becoming adaptive and context-aware.
To cyber criminals, social engineering is appealing because individual schemes can be crafted in response to current events, including major news, seasonal sporting events, celebrity updates, promotions and scary ruses. As such, these campaigns can take advantage of people’s curiosities and fears and lead them into harm’s way.
With the rise of social media, social engineering has only become easier; potential attackers can leverage trending hashtags on Twitter and create “must see” posts on Facebook and other channels that entice viewers with link-bait headlines. At the same time, age-old manoeuvres such as fake holiday cards and spam emails are still commonplace, making social engineering one of the most versatile cybercrime tactics.
Types of Social Engineering Attacks on Social Networks
The idea behind these attacks is simple: cybercriminals create interesting posts that act as baits. Typical social engineering tactics include the use of intriguing posts that ride on seasonal events, celebrity news and even disasters. Users who click the links then inadvertently act as accomplices to the attacker because the malicious scripts would automatically re-posts the links, images or videos on the profile pages of their online connections. A more popular version of this attack causes user profiles to “like” a Facebook page without their consent. In some instances, spammed posts eventually lead users to survey sites from which cybercriminals can profit.
Facebook applications enable users to play games, to add profile features and to do more stuff. Its open platform allows practically anyone to develop and submit applications that users can access. Of course, cybercriminals also use this opportunity to create rogue applications that may be used for spamming posts or for phishing attacks.
Attacks via Facebook chat:
Facebook’s built-in chat feature makes it easier for users and cybercriminals alike to strike up conversations with friends and to communicate with their contacts in real time. In previous attacks, chat messages were used to spread malware and to promote phishing applications.
Apart from using Twitter for basic spamming activities, it has also been used to spread posts with links to malware download pages. There have been several incidents to date, including posts that used Blackhat search engine optimization (SEO) tricks to promote FAKEAV and backdoor applications, a Twitter worm that sent direct messages, and even malware that affected both Windows and Mac OSs. The most notorious social media malware, however, is still KOOBFACE, which targeted both Twitter and Facebook. Its more popular social engineering tactic is the use of video-related posts, which eventually lead users to a fake YouTube page where they could download the malicious file. It also uses blackhat SEO tactics, which are usually based on trending topics on Twitter.
As if propagating spam and malware isn’t enough, cybercriminals also found a way to use Twitter to manage and control botnet zombies. Compromised machines infected with WORM_TWITBOT.A can be controlled by the botmaster running the Mehika Twitter botnet by simply sending out commands through a Twitter account. Using the Micro-blogging site has its advantages and disadvantages, but it is interesting to see how cybercriminals managed to use a social media site in lieu of a traditional command-and-control (C&C) server.
Despite the character limit on Twitter, cybercriminals have found a way to actually use this limitation to their advantage by creating short but compelling posts with links. Examples include promotions for free vouchers, job advertisement posts and testimonials for effective weight loss products. A Twitter kit was even created to make spamming even easier for cybercriminals to do.
Social Network Malware Attack Process
The figure below demonstrates a typical social engineering malware ploy executed by attackers which enticed unaware users into sharing a somewhat pornographic content on Facebook. A typical malware infection starts with spam sent through Facebook, Twitter or other social networking sites containing a catchy message with a link to a “video.”
Figure 1: The lure is presented on the timeline of the attacker
Clicking the link will redirect the user to a website designed to mimic YouTube (but is named YuoTube).
Figure 2: The victim clicks the link and gets redirected to a Fake YouTube Page
The user would be prompted to install an executable (.EXE) file or in some cases agree to share with ‘friends’ to be able to watch the video.
Figure 3: The victim attempts to watch the video and gets a prompt to share before watching.
Figure 4: The victim is prompted to download ‘Adobe flash’ to watch the video
The .EXE file is, however, may not be the actual malware but a downloader of malware components.
The downloader’s actual purpose includes the following:
Determine what social networks the affected user is a member of
Connect to the malware Command & Control (C&C)
Download the malware components the C&C instructs it to download
In order to determine what social networks, the affected user is a member of, the malware downloader checks the Internet cookies in the user’s machine. The malware downloader has the capability of checking the cookies for most of the popular online social networking sites which include; Facebook, Twitter and LinkedIn.
The presence of cookies means the user has logged in to any of the above-mentioned social networking sites. The malware downloader then reports all found social networking site cookies to the malware C&C. Depending on the social network cookies found, the malware C&C then determines the additional components the malware downloader needs to download. For instance, if the affected user has Facebook and Twitter accounts, the malware downloader reports the presence of these sites’ cookies to the malware C&C. The malware C&C then instructs the malware downloader to download the social network propagation malware components responsible for sending out messages on Facebook and Twitter. Apart from the necessary social network propagation components, the malware C&C may also instruct the malware downloader to download and install other malware that acts as Web servers, ads pushers, rogue AV installers, CAPTCHA breakers, data stealers, Web search hijackers, and rogue DNS changers.
The social network propagation components of malware may be referred to as the actual malware worm since these are responsible for sending out messages in social networking sites that eventually lead to the malware downloader.
In general, each social network module is designed to do the following:
Contact the KOOBFACE C&C
Get the related messages and URLs from the KOOBFACE C&C
Post the messages and URLs to the social networking site
Retrieve text messages and URLs from the KOOBFACE C&C and to mail these to the social network inboxes of the affected user’s friends
Components of the KOOBFACE botnet owe their continued proliferation to gratuitous link-sharing behaviours seen commonly on social networking sites.