Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/7/2015
10:30 AM
James C. Foster
James C. Foster
Commentary
Connect Directly
LinkedIn
Facebook
Twitter
RSS
E-Mail vvv
50%
50%

The Rise Of Social Media Botnets

In the social Internet, building a legion of interconnected bots -- all accessible from a single computer -- is quicker and easier than ever before.

The Internet economy is a fascinating development of our time -- whatever you’re looking for, there’s sure to be an e-commerce marketplace gushing with buyers and sellers. The Internet has done to markets what social networks have done to global interactions: created an open, democratized venue with outrageously low barriers to entry. If you have an Internet connection, like nearly half of the earth’s population, you can purchase a ShamWow, pay someone to stand in line for you, download Adobe Photoshop, or even buy a social botnet.

Anatomy of a social botnet
Cyber criminals use social media botnets to disseminate malicious links, collect intelligence on high profile targets, and spread influence. As opposed to traditional botnets, each social bot represents an automated social account rather than an infected computer. This means building a legion of interconnected bots is much quicker and easier than ever before, all accessible from a single computer.

The person commanding the botnet, also known as a bot herder, generally has two options for building their botnet. The first is fairly ad hoc, simply registering as many accounts as possible to a program that allows the herder to post via the accounts as if they were logged in. The second approach is to create the botnet via a registered network application: the attacker makes a phony app, links a legion of accounts, and changes the setting to allow the app to post on behalf of the associated accounts. Via the app, the herder then has programmatic access to the full army of profiles. This is essentially how ISIS built their Dawn of Glad Tidings application, which acts as a centralized hub that posts en masse on behalf of all its users.

Types of social botnet attacks
With the rise of social media, a social botnet can be used to amplify the scope of an attack or automate the dissemination of malicious links. A few types of common attacks include:

Hashtag hijacking. Hashtag hijacking involves leveraging a hashtag to target a certain organization or group. By appropriating organization-specific hashtags, bots distribute spam or malicious links that subsequently appear in organization’s circles and news feeds, effectively focusing the attack on that group.
Trend-jacking/watering hole. Trend-jacking is similar to hashtag hijacking in that bots use the hashtags to direct their attack. Attackers pick the top trends of the day to disseminate the attack to as broad an audience as possible. In doing so, the attacker makes a “social watering hole” around the trend by planting the payload where the potential victims are interacting; think of a crocodile at the edge of a watering hole, letting the prey come to him.
Spray and pray. Spray and pray involves posting as many links as possible, expecting to get only a click or two on each. These bots will often still intersperse odd or programmatically generated text-based posts, simply to fly under the social network’s Terms of Service radar. This tactic often leverages clickbait and is coupled with one of the above strategies.
Retweet storm. Most social networks have an eye peeled for malicious activity. One clear indicator of malicious botnet activity is a post that is instantly reposted or retweeted by thousands of other bot accounts. The original posting account is generally flagged and banned, but the reposts and retweets remain. The parent account, known as the martyr bot, sacrifices itself to spread the attack.
Click/Like Farming. Bots are ideal for inflating followers: a seedy marketing strategy designed to make a page or conversation look more popular.

Monetizing a social botnet
Malicious botnets exist on a spectrum of maliciousness but at their core, all have one of a handful of motivations. On the more benign end of the spectrum is shady marketing. Botnets are leveraged to increase followers or disseminate links and ads. Paying a bot herder to repost or favorite an ad on social media can go a long way in reaching the target audience.

Most botnets fall between the middle and top of the maliciousness spectrum. In the middle of the spectrum are the spam bots: fairly benign from a cyberattack standpoint but still a massive organizational risk if they hijack a company hashtag or target employees and customers. These bots post links to fake Viagra websites, pornography, or too-good-to-be true diet pills, which can do serious damage to brand reputation if they go unchecked.

On the outright malicious top-end of the spectrum are phishing and malware bot campaigns. Bot herders leverage botnets to distribute these links across social media. The lucrative part of the attack involves selling the phished information or the myriad of ways malware is leveraged to extort money, be it data theft, ransomware, blackmail, or banking Trojans.

Unlike traditional botnets, social botnets are not as readily leveraged in DDoS attacks. Bots can repost content, but can’t make requests on an IP address. However, social botnets are leveraged as Command & Control devices to coordinate DDoS attacks by re-posting instructions, including attack date/time, port numbers, domains, and target IPs.

Welcome to the botnet store
In cybercriminal marketplaces and hacker hubs, one of the most traded and highest selling goods are the credentials for a social botnet. Not only do bot herders outright sell their social botnets, but they also rent their botnets. People will pay herders to access their botnets for a discrete amount of time or to control a certain number of bots. Consider a bot herder like the landlord of a massive apartment complex. The highest bidder gets access for a specified amount of time before the herder changes tenants.

An ancient Roman writer, Publilius Syrus, described the foundation of economics succinctly: “Everything is worth what the buyer will pay for it.” For the buyer, social botnets provide a tangible, lucrative value. For the bot herders, building and maintaining their botnets is a full time business.

Luckily for the herders, business is booming.

James C. Foster is an industry veteran and a world-renowned thought leader on cybersecurity. He's published over a dozen books, holds patents, has spoken on Capitol Hill about the increase in international cyber threats, and is a recognized keynote speaker. In 2006, Foster ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cmccardell
50%
50%
cmccardell,
User Rank: Apprentice
7/8/2015 | 11:05:49 AM
Facebook Botnet city
I mapped the dridex botnet infrastructure utilizing maltego with KALI.  All of its endpoints are fake users and malicious urls with regards to facebook games. It sends a malicious facebook games link asking for the users payment information or that their account has been compromised and it needs them to reset its password following the url. Dridex is huge it spans from US, UK, CH, and AU domains. It has several users connected to each of those domains with various alias's and email addresses.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...