Online Social Networks – Launch pads for Malware

Your Expert Witness MalwareBy Aditya K Sood and Richard J Enbody - Regular contributors to the ISACA Journal.

With the advent of social networks, the online world has become a virtual society. Social networks serve as seamless communication channels, but at the same time they are ideal launch pads for malware infections. As a result there has been a tremendous increase in the dissemination of malware infections through social networks. The security and privacy mechanisms of social networks such as Twitter and Facebook have proven insufficient to prevent exploitation. As we know “To Err is Human,” and human errors lead to exploitation and manipulation whether the social network is online or offline.

Exploiting Human Trust, Curiosity and Ignorance

Social networks hold a plethora of personal information on the users that form the network. Individual connections between users collectively form a web of connections. To build each link between users an implicit trust is required between the two users and implicitly across the entire network. Any information provided by an individual user through chained connections becomes a part of the full network. If an attacker is able to exploit one user in the social network, they have the potential to be able to push malicious content (such as malicious URL’s) into the network. The connectivity of the network enables the spread of the exploitation. That is, the attacker exploits the weakest link in the chain. This exploitation process is aided by the inability of users (and their stored objects) to determine the legitimacy of content flowing through the social network. The infection process begins with the exploitation of human ignorance and curiosity followed by spreading of the infection through the trust upon which the network is based.

In order to start the exploitation process, an attacker can pick any issue that affects human emotions to drive the user in a social network to follow the path generated by the attacker. Topics such as weather calamities, political campaigns, national affairs, medical outbreaks and financial transactions are used for initiating infections. Phishing and spamming are used extensively for spreading messages on these topics with malicious intent. Basically, it is a trapping mechanism used by attackers to infect an entire online social network.

Exploit Mechanisms – The Art of Infection

Since social network exploitation begins by exploiting an individual user’s trust, curiosity, or ignorance common attack strategies have emerged:

One of the simplest infection techniques is the injection of malicious URLs into a user’s message wall. Since it can be difficult to differentiate between the legitimate URLs and illegitimate ones even a careful user can be tempted to click on the link. Unfortunately for the user, clicking the hyperlink can result in automatic download of malware from a malicious domain through the browser.

• Browser Exploit Packs (BEP) hold a number of browser-based exploits that are bundled together to customize the response to a victim. When a user visits a malicious domain, the BEP fingerprints the browser version and the related environment of the user machine. Based on this information, a suitable exploit is served to the user which exploits the integrity of that particular browser.
• Drive-by-Download attacks are triggered by visiting a malicious page. They exploit browser vulnerabilities in plugins and built-in components. Successful exploitation of the vulnerability results in the execution of shell code that in turn downloads the malware into the system. A variation of the Drive-by-Download attack is the Drive-by-Cache attack that can exploit browser cache functionality in order to execute malware.
• Malicious advertisements (malvertisements) are yet another technique to spread malware infections through online social networks. When an attacker injects the malicious link in a user message board, it is linked to a third party website which has malicious advertisements embedded in it. These advertisements are further linked to malicious JavaScripts which are retrieved by the browser that executes the malicious content in the context of running browser with the user’s privileges.

The biggest problem with the online social networks is that they do not have sufficient built-in protection against malware. For example, current social networks do not scan the URL’s and embedded content coming from third party servers such as Content Delivery Networks. Therefore, there is no mechanism to detect the authenticity of URL’s that are passed as message content among the user objects in the online social networks. In addition, it is easy to upload malvertisements, and social networks fail to raise any warning. Online social networks are not harnessing the power of Safe Browsing API’s from Google or similar services to instantiate a verification procedure before posting a URL back to a user profile. Lack of such basic protections is a key factor in making the social networks vulnerable to exploitation. Finally, many social network users are not knowledgeable enough to differentiate between real and malicious entities. Ignorance not only results in exploitation, but also greatly impacts the overall security of online social networks. Because of the high connectivity and need for trust in a social network users are particularly dependent on the built-in security features of online social networks, but the security features are not tough enough to thwart many malware attacks.

Conclusion

Robust security and privacy mechanisms are indispensable for safe online social networking. Built-in security is necessary because attackers exploit the trust, curiosity and ignorance to garner maximum profit. User awareness regarding security concerns is important but can only spread gradually, so social networks should be proactive and develop more sophisticated and stringent mechanisms to thwart malware infections. Safe and secure transmission of the information and robust user’s privacy should be the paramount concern of the social networking companies.

Biography

Aditya K Sood is a regularly writes articles for the ISACA Journal and is a senior security researcher and PhD candidate at Michigan State University. He has already worked in the security domain for Armorize, COSEINC and KPMG. He is also a founder of SecNiche Security Labs, an independent security research arena for cutting edge computer security research. At SecNiche, he also acts as an independent researcher and security practitioner for providing services including software security and malware analysis. He has been an active speaker at industry conferences and already spoken at RSA, HackInTheBox, ToorCon, HackerHalted, Source, TRISC, AAVAR, EuSecwest, XCON, Troopers, OWASP AppSec USA, FOSS, CERT-IN, etc. He has written content for HITB Ezine, Hakin9, ISSA, ISACA, CrossTalk, Usenix Login, and Elsevier Journals such as NESE and CFS. He is also a co author for debugged magazine.

Richard J. Enbody, Ph.D., regularly writes articles for ISACA Journal and is associate professor in the Department of Computer Science and Engineering at Michigan State University (USA) where he joined the faculty in 1987. Enbody has served as acting and associate chair of the department and as director of the computer engineering undergraduate program. His research interests include computer security; computer architecture; web-based distance education; and parallel processing, especially the application of parallel processing to computational science problems. Enbody has two patents pending on hardware buffer-overflow protection that will prevent most computer worms and viruses

About ISACA

With 95,000 constituents in 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the non-profit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter: http://twitter.com/ISACANews

Join ISACA on LinkedIn: ISACA (Official)