Endpoint

8/31/2017
03:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

New Facebook, Instagram Bugs Demonstrate Social Media Risk

Security flaws in Facebook Messenger and Instagram let hackers propagate attacks and steal personal data.

Researchers at Kaspersky Lab recently discovered cyberattacks on Instagram and Facebook Messenger intended to steal credentials and spread malware, respectively. Both instances demonstrate the potential danger when an attacker seeks power in a social network.

The two attacks, while similar in their use of social networks, were otherwise different in nature. The Instagram attacks were manual and targeted high-profile victims. The Facebook campaign used advanced tactics to infect a large and indiscriminate pool of users.

Instagram's vulnerability exists in mobile version 8.5.1, which was released in 2016. Attackers can simply select "reset password," capture the request using a Web proxy, select a victim, and submit a request to Instagram's server with the target's unique identifier or username. The server returns a JSON response with the victim's personal data, like email and phone number.

"The attacks are quite labor intensive," Kaspersky Lab researchers explain. "Each one has to be done manually since Instagram uses mathematical calculations to prevent attackers from automating the request form."

Hackers were found on an underground forum exchanging personal credentials for celebrity accounts. Researchers reported the bug to Instagram on August 29; on August 30, the photo-sharing app had warned users of the vulnerability and issued a fix. Users are advised to update their apps to the latest version and alert Instagram to emails about password restoration.

David Jacoby, senior security researcher for Kaspersky Lab's Global Research and Analysis Team, picked up on the Facebook Messenger-driven malware when he received a suspicious note from a distant contact. Within minutes, he realized he had received an advanced form of multi-platform malware/adware, which was using multiple domains to prevent tracking.

Infected messages contain a shortened link, which leads victims to a Google Doc containing an image resembling a fake video player with the sender's profile photo. Google Chrome users who click the link are redirected to a fake YouTube page, which prompts them to download a fake Chrome extension. If installed, it spreads malicious links to the victims' online friends.

Chrome was the browser highlighted in a blog post co-authored by Jacoby and Frans Rosén, security advisor at Detectify, who was also investigating the Facebook malware. The two determined it was clear Chrome was a targeted browser for spreading the attack to other victims; in other browsers, ads were displayed and adware was downloaded on the victim's machine.

Jacoby and Rosén found several Chrome extensions were used in this campaign. All were newly created with stolen code, and similar names, to legitimate extensions. Each contained obfuscated background script that would only fetch an external URL if installed from the Chrome Webstore. Locally installed versions would not trigger an attack.

"The script would like a page on Facebook that was hardcoded in the script," researchers explain. "This was most likely used by the attackers to count the amount of infected users by keeping an eye on the amount of likes on this page."

Indeed, when observed, the "like" count quickly rose from 8,900 at one point to 32,000 a few hours later.

Google Chrome's security team disabled all malicious extensions to stop the spread of attack as much as possible; however, attackers had stolen all the access tokens from victims' accounts. This means attackers can still access these profiles, even if victims have changed their passwords, signed out, or disabled platform settings.

"We are currently discussing this with Facebook," Jacoby and Rosén report, "but at the moment it seems like there is no simple way for a victim to revoke the token the attackers stole."

The Facebook attack heavily relied on realistic social interactions, dynamic user content, and legitimate domains to spread. Researchers advise users to be careful when letting extensions control the bowser, and know which extensions they are running in the browser.

Tip: In Chrome, you can write chrome://extensions/ in your URL field to see a list of enabled extensions.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2017 | 5:54:11 PM
Insta
Makes sense that the Instagram attacks only tended to target high-profile accounts. The damage one could do with the typical Instagram account is quite limited indeed (esp. w/ MFA).
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19326
PUBLISHED: 2018-11-17
Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd.
CVE-2018-19274
PUBLISHED: 2018-11-17
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
CVE-2018-19324
PUBLISHED: 2018-11-17
kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...