Attacks/Breaches

7/7/2015
10:30 AM
James C. Foster
James C. Foster
Commentary
Connect Directly
LinkedIn
Google+
Facebook
Twitter
RSS
E-Mail vvv
50%
50%

The Rise Of Social Media Botnets

In the social Internet, building a legion of interconnected bots -- all accessible from a single computer -- is quicker and easier than ever before.

The Internet economy is a fascinating development of our time -- whatever you’re looking for, there’s sure to be an e-commerce marketplace gushing with buyers and sellers. The Internet has done to markets what social networks have done to global interactions: created an open, democratized venue with outrageously low barriers to entry. If you have an Internet connection, like nearly half of the earth’s population, you can purchase a ShamWow, pay someone to stand in line for you, download Adobe Photoshop, or even buy a social botnet.

Anatomy of a social botnet
Cyber criminals use social media botnets to disseminate malicious links, collect intelligence on high profile targets, and spread influence. As opposed to traditional botnets, each social bot represents an automated social account rather than an infected computer. This means building a legion of interconnected bots is much quicker and easier than ever before, all accessible from a single computer.

The person commanding the botnet, also known as a bot herder, generally has two options for building their botnet. The first is fairly ad hoc, simply registering as many accounts as possible to a program that allows the herder to post via the accounts as if they were logged in. The second approach is to create the botnet via a registered network application: the attacker makes a phony app, links a legion of accounts, and changes the setting to allow the app to post on behalf of the associated accounts. Via the app, the herder then has programmatic access to the full army of profiles. This is essentially how ISIS built their Dawn of Glad Tidings application, which acts as a centralized hub that posts en masse on behalf of all its users.

Types of social botnet attacks
With the rise of social media, a social botnet can be used to amplify the scope of an attack or automate the dissemination of malicious links. A few types of common attacks include:

Hashtag hijacking. Hashtag hijacking involves leveraging a hashtag to target a certain organization or group. By appropriating organization-specific hashtags, bots distribute spam or malicious links that subsequently appear in organization’s circles and news feeds, effectively focusing the attack on that group.
Trend-jacking/watering hole. Trend-jacking is similar to hashtag hijacking in that bots use the hashtags to direct their attack. Attackers pick the top trends of the day to disseminate the attack to as broad an audience as possible. In doing so, the attacker makes a “social watering hole” around the trend by planting the payload where the potential victims are interacting; think of a crocodile at the edge of a watering hole, letting the prey come to him.
Spray and pray. Spray and pray involves posting as many links as possible, expecting to get only a click or two on each. These bots will often still intersperse odd or programmatically generated text-based posts, simply to fly under the social network’s Terms of Service radar. This tactic often leverages clickbait and is coupled with one of the above strategies.
Retweet storm. Most social networks have an eye peeled for malicious activity. One clear indicator of malicious botnet activity is a post that is instantly reposted or retweeted by thousands of other bot accounts. The original posting account is generally flagged and banned, but the reposts and retweets remain. The parent account, known as the martyr bot, sacrifices itself to spread the attack.
Click/Like Farming. Bots are ideal for inflating followers: a seedy marketing strategy designed to make a page or conversation look more popular.

Monetizing a social botnet
Malicious botnets exist on a spectrum of maliciousness but at their core, all have one of a handful of motivations. On the more benign end of the spectrum is shady marketing. Botnets are leveraged to increase followers or disseminate links and ads. Paying a bot herder to repost or favorite an ad on social media can go a long way in reaching the target audience.

Most botnets fall between the middle and top of the maliciousness spectrum. In the middle of the spectrum are the spam bots: fairly benign from a cyberattack standpoint but still a massive organizational risk if they hijack a company hashtag or target employees and customers. These bots post links to fake Viagra websites, pornography, or too-good-to-be true diet pills, which can do serious damage to brand reputation if they go unchecked.

On the outright malicious top-end of the spectrum are phishing and malware bot campaigns. Bot herders leverage botnets to distribute these links across social media. The lucrative part of the attack involves selling the phished information or the myriad of ways malware is leveraged to extort money, be it data theft, ransomware, blackmail, or banking Trojans.

Unlike traditional botnets, social botnets are not as readily leveraged in DDoS attacks. Bots can repost content, but can’t make requests on an IP address. However, social botnets are leveraged as Command & Control devices to coordinate DDoS attacks by re-posting instructions, including attack date/time, port numbers, domains, and target IPs.

Welcome to the botnet store
In cybercriminal marketplaces and hacker hubs, one of the most traded and highest selling goods are the credentials for a social botnet. Not only do bot herders outright sell their social botnets, but they also rent their botnets. People will pay herders to access their botnets for a discrete amount of time or to control a certain number of bots. Consider a bot herder like the landlord of a massive apartment complex. The highest bidder gets access for a specified amount of time before the herder changes tenants.

An ancient Roman writer, Publilius Syrus, described the foundation of economics succinctly: “Everything is worth what the buyer will pay for it.” For the buyer, social botnets provide a tangible, lucrative value. For the bot herders, building and maintaining their botnets is a full time business.

Luckily for the herders, business is booming.

James C. Foster is an industry veteran and a world-renowned thought leader on cybersecurity. He's published over a dozen books, holds patents, has spoken on Capitol Hill about the increase in international cyber threats, and is a recognized keynote speaker. In 2006, Foster ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cmccardell
50%
50%
cmccardell,
User Rank: Apprentice
7/8/2015 | 11:05:49 AM
Facebook Botnet city
I mapped the dridex botnet infrastructure utilizing maltego with KALI.  All of its endpoints are fake users and malicious urls with regards to facebook games. It sends a malicious facebook games link asking for the users payment information or that their account has been compromised and it needs them to reset its password following the url. Dridex is huge it spans from US, UK, CH, and AU domains. It has several users connected to each of those domains with various alias's and email addresses.
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...