Tag Archives: social network

Twitter spam – Spitter? Tpam?

Unless you’ve been living under a rock in the past couple of years, you have been exposed to Twitter in some shape or form. Having adopted the means of socializing myself not too long ago (been researching it’s security since day-0, jumped on the bandwagon a few months ago), you have to live with the bad aspects of social networks again.

When you finally think that a social network platform would get immune from the perils of spam and malicious content, it’s funny to see how spammers – especially on the adult content side have been using Twitter to peddle their stuff… Instead of Tweeting it again (http://twitter.com/iiamit/status/2404011102), I decided to pay respects with a full blog post.

spitter

So here are my 2 new followers (the one mentioned on my older tweet has fled – probably didn’t get what they signed up for 😉 ), I’ll be sure to keep checking out these trends and make sure that nothing beyond the traditional and mostly harmless content (unless you consider NSFW dangerous – no malweb so far there).

See you all in Vegas (https://www.defcon.org/html/defcon-17/dc-17-speakers.html#Amit)!

Update: OK, this can go out in the open now (had to make sure that this went public already…) pushing malweb through Twitter has been going on for a while, a funny example below shows the usage of the same malicious URL being pushed by “foot soldiers” across multiple trending topics as they change over time:

maltweet1

And the Tweet of the day for me is an attempt to “whore” the trending topics in order to promote an adult site:

trendwhoring

Obviously all the keywords at the time this was published were on the trending top list…

Are you LinkedIn/Facebooked/Twittered/Beboed/Viadeoed/etc?

I’ve just finished reading a great little note from Brian Krebs on the Washington Post that enabled me to “out” (don’t worry, I won’t) an incident that some of us in the security industry have been following in the last few days. One of “ours” has been hijacked on Tweeter, and the impersonator who hijacked him was twittering some rants and raves that actually close to this person’s professional life.

This makes you think again of what we have been discussing in the annual threat report on social networking threats getting real. Once again, our recommendation is – get your online identity straightened out. Make sure you are aware of who you are online, own your identity online – even if that means registering to the major social networks just to “plant your flag” as Brian so eloquently put it (as long as you point the flag to the social networking identity you actually use…).

Check out the original article by Brian here, and our annual report here [PDF].

Social aspects of web security – the March edition

It’s that time of the year again… March madness is engulfing us with news and pre-season activities, and everyone is out and about to see what we would be seeing in the coming months. Just as we have portrayed before, eCrime is a social animal just as well, and is not going to let the action go by without having a chance to have a go at the crowd.

As usual – it’s the same technique all over again – using SEO (Search Engine Optimization) to grab high ranking in search results and leading users clicking on the related links to a variety of malicious content. We have see similar techniques used during the US presidential election season covered quite elaborately in the past, and don’t be surprised to see more of the same hitting the next seasonal event as long as it can attract enough “eyeballs” on search engines.

The oracle strikes again – “Browser OS” threats start to appear

Moving on from the social networking issues we outlined in the past couple of weeks, after following the predictions, and their materialization (here, here, here in the announcement of Gmail offline, here, and here), we can already see the “Browser OS”, as we dubbed it in our annual threat and predictions report, begin to materialize as well.

As per a recent Register article, threats related to Google Gears™ have started to appear – taking advantage of the extended capabilities granted to the browser – just like we predicted in our report. We named Google’s Gears, Adobe’s Air and Microsoft’s Silverlight as the prominent technologies that would be the enabler for the “Browser OS” and would be scrutinized for their security implications.

As always, we are not here to say “nay” to every new technology – just the opposite these technologies are the future, and they enable businesses and individuals alike to be more productive and have a better web experience. The only claim here is that more focus should be put on measures that take these technologies into account when implying to provide internet and web security, and enough forward looking vision to execute on it.

Social networking threats – the “hacker” story

As the social networking threats angle is picking up a lot of traction lately <pat_on_own_back>,  the folks at Netragard have posted a great write-up on using social networks as an attack tool – involving both social engineering as well as technical exploits. The post can be found here, and I just want to quote a couple of sections that I feel very strongly about:

“The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook. We didn’t read all 906 profiles but we did read around 200 which gave us sufficient information to create a fake employee profile” … “After the payload was created and tested we started the process of building an easy to trust facebook profile. Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. We found a fitting photograph by searching google images and used that photograph for our fake Facebook profile. We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee facebook profiles.”

Needless to say that the newly created fake profile, which could just as well have been hijacked, went a long way in terms of enabling the attackers (who were commissioned to perform a penetration test this time) to gain access to internal company resources quite easily.