The Seven Deadliest Social Networking Hacks
Think you know who your real online friends are? You could be just a few hops away from a cybercriminal in today's social networks
Kelly Jackson Higgins,
August 26, 2008
It started with a stolen Facebook photo attached to an inflammatory profile. It led to online harassment, death threats, and emails to the victims boss questioning the victims character. But an online personal attack against Graham Cluley earlier this year is one example of how easy it is to use a social network to damage the identity of an individual -- or an entire company.
Cluleys case shows just how rapidly social networks can spread a smear campaign or personal attack -- and how it can quickly spread to the victims professional life. Cluley, who is a senior technology consultant with Sophos, recently met another victim who experienced a similar attack on Facebook, Kerry Harvey. He says it was apparently an acquaintance of Harveys who built a phony Kerry Harvey Facebook profile that branded her occupation as a prostitute, complete with her cellphone number. (See ID Theft Victim Branded a 'Prostitute' .)
Could such a thing happen to you or employees at your company? You bet. Social networks are the next major attack venue for trolls, spammers, bot herders, cybercriminals, corporate spies -- and even jilted ex-lovers or enemies -- to make money, or just plain wreak havoc on their victims personal lives, security experts say.
It's the easiest way to passively gain intelligence on the largest groups of society and nearly every walk of life, says Robert Hansen, aka RSnake, founder of SecTheory LLC.
The root of the problem is that social networking sites by nature aren't secure. They typically dont authenticate new members -- you cant always be sure that your online friend is who she says she is -- and attackers can easily exploit and capitalize on the trusted culture within the social network. Users often don't deploy the security and privacy options that some of these sites offer, either.
Social networking application development tools like OpenSocial and third-party tools on Facebook, for example, can be abused by attackers to readily spread malware or lift personal information. Theres also the very real risk of corporate espionage, with attackers culling tidbits from personal or professional social net profiles to wage targeted attacks on businesses via their employees. And popular Web attacks, like cross-site scripting, can also be used against members of social networks.
And dont think for a minute that your private or closed profile keeps you safe from an attack or potential personal embarrassment, either. There is no such thing as privacy on the Internet, says Adam ODonnell, director of emerging technologies for Cloudmark. You are only delaying the inevitable information leakage for any content you put online. My recommendation is to treat the Internet as if all content there lasts forever.
Attacks on social networking sites have only just begun, so think twice before you get too personal with what you post on them, or too loose about accepting and trusting new friends and connections.
Youre only going to see these attacks on social networks go up, says researcher Nathan Hamiel, who along with colleague Shawn Moyer recently conducted some relatively simple but scary hacks recently on various social networks that they demonstrated at Black Hat USA and Defcon 16 this month. Weve noticed some weird social networking attacks since we did our talk at those hacker conferences, he says.
Here's a look at the seven most lethal social networks hacks:
Next Page: 1) Impersonation and targeted personal attacks
Youd think security experts would be relatively immune from social networking hacks since, well, theyre security experts. But a recent wave of nasty hacks targeting security industry figures such as Alan Shimel of StillSecure and Petko Petkov of GNUCitizen, where their personal email accounts and other private data were raided and posted on the Net, have demonstrated that a determined attacker can even get to the experts.
Putting yourself out there with a social network presence basically leaves you open for all kinds of attacks, even personal ones. Just ask Sophoss Cluley, who faced hate messages, death threats to his wife, and his photo being superimposed on some pornographic images after his Facebook photo hack. They didnt use my name, he says, but all it took was someone to recognize his face.
Twitter, the microblogging site where members post quick updates on what theyre doing or comments to multiple followers, introduces a whole other element to social networking security -- physical security, experts say. I never talk about where I am, who I'm with, where I'm going, or any other specific details, RSnake says. But that doesn't stop anyone else who knows that same information from doing that behind my back - maliciously or not.
Sophoss Cluley says posting too much information on Twitter, such as your whereabouts or trip plans, leave you wide open to things like burglary or stalking. Twitter is a fascinating thing. To be honest, it could lead to all sorts of physical problems, such as physical theft or jealous exs tracking what their ex is up to, says Cluley, who tweets his blog titles. When I post to my blog, Im not saying Im at the supermarket. First of all, who cares? I much prefer to wait until I get back from the store to say what Im doing, he says.
And as Hamiel and Moyer demonstrated at Black Hat USA and Defcon 16, you dont even have to have a social networking profile to be targeted. The two researchers were able to easily impersonate security icon Marcus Ranum (with his permission) on LinkedIn, the social network for businesspeople. Ranum doesnt have an account, so the two basically lifted Ranums photo off the Internet and gathered information on him online and built a convincing phony Ranum profile. (See LinkedIn Hack Demonstrates Ease of Impersonation.)
They channeled Ranum so well that they amassed 42 LinkedIn connections within 12 hour, even duping Ranums own sister into friending the phony Ranum profile.
Next Page: 2) Spam or bot infections
Spammers -- for plain old advertising, click fraud, or for bot recruitment -- need mechanisms that efficiently and effectively deliver and spread their messages, malware, or both. And attackers have already honed in on the social networking community, hijacking accounts and using their address books to spread spam, worms, or other malware.
Were seeing more and more malware via spam and links in spam. Were seeing this with malware text on Facebook and Twitter thats designed to draw people to particular pages, Sophoss Cluley says.
Most recently, attackers hijacked some Facebook accounts, and posing as members sent messages to their friends to dupe them into viewing a video clip link, which instead was actually a Trojan that silently downloaded malware onto their machine once they opened the link.
A recent report by ScanSafe found that in July, up to one in 600 profile pages on social-networking sites hosted some form of malware, mostly adware and spyware.
Next Page: 3) Weaponized OpenSocial and other social networking applications
Users often dont think anything of installing an application in their browser. But these applications can all have the same levels of access to their system, and some of the most private information is often [stored] in the browser, so it can be more dangerous, Moyer says. It blows my mind how people can think that downloading [these applications] is not as bad as downloading some application to their system.
That makes third-party application services like OpenSocial a dangerously handy tool for attackers. The addition of the third-party application service also allows for another avenue for code-based attacks to occur, Cloudmarks ODonnell says.
These are opt-in only, and a limited number of developers use the tools. What ends up happening is that developers with a limited amount of security-sensitive development experience create these applications that spread like wildfire, allowing a new vector for infection on many profiles -- and by infection, I primarily mean attacks focused inside the social network, ODonnell says.
Users dont always realize that the third-party widgets for Facebook, for example, werent written by Facebook. Some have holes that collect more information on users than necessary or safe, and others have been written specifically to install adware or generate revenue. To their credit, Facebook has closed down some of these apps that behaved inappropriately, Sophos Cluley notes.
A rogue application called Secret Crush was circulating around Facebook earlier this year, spreading spyware instead of love. (See 'Secret Crush' Spreads Spyware, Not Love.) It sent victims an invitation to find out who has a secret "crush" on him or her, and lured them into installing and running the Secret Crush app, which spread spyware via an iFrame. The attack got more advanced and worm-like when it required the victim to invite at least five friends before learning who their crush was.
They [these sites] are basically under constant attack, Moyer says. We think a lot of the Web 2.0 problems [with these sites] are more about how much trust is being placed on the client side.
Next Page: 4) Crossover of personal to professional online presence
Even if you keep a MySpace account for personal use, and a LinkedIn one for professional networking, theres no guarantee that those late-night partying pictures arent going to end up in front of your colleagues on LinkedIn, or worse, your boss.
Consider everything on a social network to be public, whether its private photos or work history, Hamiel says. You cant stop a friend from copying your stuff and putting it wherever they want.
There are some measures social networkers can take to prevent the details of their social and personal lives from spilling over to their professional ones. Cloudmarks ODonnell says he doesnt bother with separate personal and professional social networking accounts: For me I find it far easier to not keep them separate, and to present a professional face on both my personal and my professional profiles."
You can set up limited profiles on sites like Facebook. I can add someone as a limited friend, and they dont know theyre limited. They cant see my holiday photos, for instance, Sophoss Cluley says. That way, Ive really tied down and parceled up what I want as my real close friends on the site.
There are also privacy settings that can control what information you share with others on the social network, and what information Facebook apps can get and share about your profile.
Next Page: 5) XSS, CSRF attacks
Cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities are obvious attack vectors, and some social networking worms have used XSS flaws to help propagate themselves. But most social networks have tightened their defenses against XSS attacks, security experts say, and CSRF attacks are not yet common.
XSS and CSRF do pose a big risk to these sites, especially when it comes to social networking applications, experts say. In an XSS attack, malicious code is injected into vulnerable Web applications and users who view those pages can get hacked. In a CSRF attack, an attacker basically tricks the victim's browser into making a request on his behalf -- as the logged-in user.
Anytime [that] you, an attacker, can force a user to load HTML, the potential is there for browser exploits, botnet infections, and account manipulation via XSS/CSRF, says HD Moore, director of security research for BreakingPoint Systems.
A CSRF attack could potentially jump and spread across multiple social networking sites that the user is logged onto -- effectively spreading the attack from one social network to another. It could, for example, force a victim viewing a CSRF-infected page on MySpace to post something on his own wall on Facebook if the wall-posting function was vulnerable. I think [CSRF] certainly is one useful vector that's being overlooked now, Moyer says.
Meanwhile, with the openness of social networks, attackers dont really need to bother with complicated XSS or CSRF attacks. But if you [the attacker] combine attack vectors, you could be a lot more effective. We think as long as [social networks] allow users to create markup in profiles and comments and link to external content, this will continue to be a problem, Moyer says.
Next Page: 6) Identity theft
A social network profile can give away some valuable tidbits - victims name and date of birth - that identity thieves can use to guess passwords or impersonate them, and even eventually steal their identity, some security experts say.
But that doesnt mean that identity thieves are crawling all over social networks, Hamiel says. I just think that the claims that social networks are an identity theft magnet are overblown."
Social networkers sometimes inadvertently hand over the goods themselves: In a study Sophos conducted over a year ago, about 41 percent of Facebook users in the study gave out their email address, date of birth, and phone number to someone they didnt know.
One safety tip for social networkers is not to answer all the questions posed to them by the site, and don't provide your true date of birth, Sophos's Cluley says. You dont need to tell Facebook your educational background, your phone number, etc. You dont even have to tell them your real date of birth, he says. I want the identity thief to get the wrong date of birth.
You can even make up a phony maiden name for your mother. Dont make it something thats a matter of public record, he says.
Even so, social networks basically tap into human natures innate need to socialize, and the bad guys know it. People aren't very good at security, RSnake says. We were built to work in teams, we're pack animals.
Next Page: 7) Corporate espionage
Even if an employer blocks access to social networks from the office, the organization still could be susceptible to corporate espionage attacks via its employees personal profiles.
To pull off a spear phishing attack, for example, all an attacker has to do is search for Company As employees on a social networking site and then pose as someone within the organization -- such as the head of human resources -- and email the employee addresses he finds, for example. A phony HR spear phish could look something like this, Sophoss Cluley says: Dear Fred Jones, Congratulations on joining XYZ Company. Click on this link to access our HR Intranet and then log in with your regular network username and password so we can update our files.
A newbie to the company could easily fall for the ploy and hand over access to the corporate network, he says.
The only shot at preventing this hack is for social networkers to limit what they post publicly and to keep their employers name out of their profile. Keeping the name of your employer... far away from your personal profiles can reduce the chance that someone will target your employer through you, BreakingPoints Moore says. The trouble is that even with completely separate personal and professional identities, it only takes one scrap of public information linking the two to negate all of the time that went into separating them in the first place.
Thats because the six degrees of separation rule applies on most social networks: Youre only a few hops away from a bad guy. We know that there are bad people on these networks using them to steal information, Cluley says. You may be only a half a dozen hops from an identity thief if were all connected.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.