Threat Research

Targeting next generation users on social networks

By Derek Manky | June 18, 2009

While the next generation of tech has arguably arrived, it is simply a fact now that social networking sites and the blogosphere have become an integrated part of many peoples lives - some may even call them home (at least to their browsers). In 2008, we predicted the wave of spam that would hit these "Web 2.0" platforms as it was a natural target for spam to migrate to after years of living inside of mass mailers. Indeed, throughout the year of 2008 we witnessed a barrage of attacks on these sites: malicious social applications, "Spam 2.0", worms such as Koobface, XSS exploits, and various phishing campaigns. Here we are, a year and a half later and the spam attacks not-surprisingly continue.

Amongst all of this activity, more platforms with further complexity continue to arise and gain popularity, such as micro-blogging site Twitter. Naturally, some of the similar aforementioned attacks have followed as well. One of the effective mechanisms of next-generation worms traversing through linked accounts on social networking sites is that malicious links are sent out from one connected contact to another. Since most of these contacts presumably know each other, there is a higher level of trust - and a tendency for any recipient to let their guard down when clicking on these links. Most threat activity we have seen on social networking sites come from harvested accounts, from worms like Koobface and phishing campaigns. These accounts are typically used in ad-hoc fashion to blast out messages or invites to their contacts. Mass mailers, now typically hosted on botnets, follow the same pattern: they harvest accounts, and send out spam to as many contacts as possible - and have been doing this for a very long time. Enter targeted attacks.

There has been an increasing trend of targeted attacks, ones that are premeditated and delivered to usually only a handful of recipients, if not just one. These are often delivered as poisoned documents that trigger exploits, and drop malware such as keylogger trojans. For a detailed investigation, you may read further here. In parallel with the increasing targeted attack front, we have witnessed an increase in document exploit activity. Figure 1 below shows a 6 month window of detected activity for common exploited document formats: XLS, DOC, and PDF:


With the amount of attacks that are circulating on next generation platforms, "Web 2.0", whatever you want to call it - it is only a matter of time until cyber criminals become more aggressive and innovative with their methods. They have already started this transition and are in full-swing with targeted attacks through traditional e-mail, so it is likely that they will follow suit and expand their horizons to new channels. Harvested accounts from social networks are primed for targeted attacks, and in theory would be even more effective than the already dangerous targeted attacks through traditional e-mail. This is because of several factors:

  1. Social networks host a wealth of information that would assist in social engineering hooks (think personal information and profiles, messages archived / posted, etc)

  2. User bases have exploded on popular social network sites, and everybody is participating: from end users, celebrities / officials and enterprise (marketing, PR, executives, the list goes on)

  3. Next generation platforms not only support the basic attack vectors that e-mail does (files and malicious links), but offer much more opportunities for attack, innovation and expansion

  4. As I already pointed out, social networking rings / established contacts have a high degree of trust already

Framework is already in place to siphon account credentials with ease, as we have witnessed over the last year. With favored targeted attack methods becoming quite active (Figure 1 - poisoned documents), and ample opportunity on the horizon, it is suffice to say that the Internet is indeed a scary and hostile place. Always try to validate the identity of any contact, especially when file attachments or malicious links are involved.

Join the Discussion