Aditya K. Sood and Richard Enbody, Ph.D.
Social networking has completely transformed social life in the online world. It has become the most acceptable pattern of forging social connections on the web. Every new development has pros and cons in its own sphere, though, and social networking web sites are no different. Online social networks, being a part of the Web 2.0 world, are prone to attacks and malware infections.
Social networks, such as Facebook, Twitter, MySpace, Orkut and Friendster, pose a grave threat to the security and privacy of users. This article discusses malware infection strategies used by attackers to infect social networking web sites and addresses security from the user perspectives—outlining effective, secure steps that can reduce the impact of malware infections.
With the growth of new technology trends, the online world has noticed an explosive growth in social networking. The definition of social culture has changed with the social networking revolution. The process of developing social relationships among individuals has become easier through social web sites. Recent developments in social networking have transformed the world from a social perspective; however, this new type of socializing has raised concerns about the privacy and security of Internet users.
The concern for security and privacy go hand in hand. Social networking poses an extensive threat because it is a technology-dependent culture. In general, social networks are pool networks because of the interconnectivity among various participating elements. In a real-world model, these elements are the actual users in an online network. Social networks are an ingrained part of the World Wide Web; however, they are not completely protected from various web attacks that are executed to spread malware across the web. The threat models of regular web applications and social networking web sites are similar. Social networking web sites require an appropriate security control to preserve the privacy, security and integrity of users. The model presented in figure 1 gives an idea of the web malware infections in a social network. The black nodes represent the users in the social networks who have interrelations. In general, it shows the interconnectivity patterns.
Broadly, this model suggests the chain infection process in a social network. The risk of infection is high because of the interrelationships. Therefore, an infection in one node can impact all of the other nodes that are interconnected with the infected node. For example, one malicious user profile in a social network can infect the other user profiles that share a mutual connection.
Recently, there has been an increase in web malware and spam1 activities because social networks can be used to support these attacks. Social networking web sites are acting as powerful magnets2, 3 that attract fraudsters. Social networking worms such as Koobface4 and the Twitter worm5 have already shown their devastating nature. Primarily, the social networking worms exploit a Cross-site Scripting (XSS) vulnerability to include malicious scripts from third-party domains. XSS worms are self-replicative in nature and spread rapidly on social networking web sites because of the interconnection among various profiles. This type of malware infection is termed a chain infection because one malicious node infects another. In general, the default design of social networking web sites is exploited to conduct attacks and spread malware.
The following infection strategies are utilized by attackers to spread malware through social networking web sites by taking advantage of user ignorance.
Malicious Profile GenerationSocial networks are based on the concept of online identities that interact together to form a virtual social network. The identities are created as user profiles that reveal the kind of information the user wants to display on the social network. It is hard to set an appropriate control on user profiles that can secure the identities completely; however, some standard controls have been defined by social networking web sites to prevent users from performing unwanted operations and to secure users by restricting the flow of information. This process is effective to some extent, but an attacker exploits the inherent nature of social networks to tempt users to perform illicit operations on the social network.
One of the most common techniques used by attackers is generating fake profiles. These profiles can be of celebrities, models, advertisements, etc. Fake profiles can be used for many purposes including monitoring users, revenge and business.
The fake profiles tempt users to read the malicious content that is posted on the messaging walls used for communication. Once users visit such profiles, embedded malicious codes start infecting the users with malicious executables.
From a security perspective, this is a clear case of identity theft in social networks, and the type of information present in fake profiles is used in a plethora of scams. Moreover, it is difficult to discount the fact that the malicious scams are uncontrollable. Facebook, Twitter and MySpace users, for example, have been victims of these kinds of scams and identity frauds because it is hard to restrict the functioning of users based on identity profiles in the network. This is the inherent vulnerability of social networks. Social networks are adding secure protocols for automatic detection of these malicious fake profiles, but the protocols are not robust enough.
Exploitation of “Social Human Touch”“Social human touch” is an outcome of relationships among various online identities in social networks. It is defined as the trust between engaged profiles and the kind of social bond shared by them in a network. Social human touch and ignorance are two faces of an active entity, i.e., user identity in social networks.
Exploitation of online social trust is considered an entry point of malware infections. For example, by an attacker’s use of spam, a user is directed to a fake profile that uses hyperlinks to redirect the users to the malicious domain. The rogue profile tempts users to visit that domain by presenting them with an attractive slogan, advertisement or caption. For example, a slogan stating “Click here for a new video release from the world’s most famous musician” may entice users to visit that link. The music file starts serving malware while playing. The authors’ research has shown that music players, such as Windows Media Player and QuickTime Player, can be used to hide malicious code that acts as a backdoor for spreading malware to users. It is not possible for attackers to spread malware directly, but they play around with the psychology of legitimate users to exploit users’ ignorance, thereby serving users with an unwanted gift in the form of malware and controlling users’ machines afterward.
Worm Generation—Chain Infection and ReactionSocial networks have become the most susceptible platform for spreading malware. Worms exploit the nature of social networks because of the interconnection among legitimate users. Attackers follow the process of chain infection and reaction to trigger malware through worms. It can be devastating because exploitation of interconnected identities results in a diversified infection. While encountering malware on a day-to-day basis, a generic model has been designed to understand the working of worms that infect social networking web sites on a large scale. It can be explained in two steps:
The two-step infection can be mapped as one to many (1:N). Once the chain is created, it becomes prevalent and infection keeps increasing, not only at the system level but also through the World Wide Web—especially social networks.
Drive-by-Download AttacksWhat happens exactly when a user visits a malicious link?
This can be explained by understanding Drive-by- Download6 attacks. This attack is used heavily to “fingerprint” the victim browser and serve malicious executables. Drive-by-Download is defined as an attack in which a user’s browser is exploited and malware is downloaded into the victim’s machine without the consent or knowledge of the user. Everything happens automatically, but it is not as easy as it may seem. The malware domain fingerprints the type of browser used by the user, and based on that information, a specific exploit is served. This is done to ensure reliability. For example, if a user is running version 7 of Internet Explorer (IE), the malware domain scrutinizes the version through user agent strings and serves the requisite exploit for the same version. The victim browser will not be served with an exploit if a different version of IE is running in the user environment. This methodology is used by attackers to control the infection process so that detection becomes difficult. Obfuscation techniques used by attackers may result in bypassing antivirus solutions so that malware remains undetected.
Exploitation of Custom Code and Social Networking APIsThe release of open application programming interfaces (APIs) by social networking web sites has completely transformed the realm of malware infections. In general, these APIs are used for customizing and designing applications that use social networking web sites to execute their content, meaning that a user can design a custom code to derive an interface with social networking web sites. The deployed custom applications can be accessed by a number of identities present in the social networking web site. Attackers design malicious applications using APIs to conduct attacks in a sophisticated manner by exploiting the generic design of an application development model, which makes the malicious applications look authentic.
Once the malware-driven application is accessed, APIs can be used to introduce malicious content into social networking web sites. Usually, the designed application has hidden links to the malware domain. The application remains persistent and becomes active when a user accesses any module for performing a specific set of operations. Many of the methods discussed previously can be used directly in this way.
Facebook Markup Language (FBML)7 is used to provide a custom control for generating content. This language has been used to spread malware; however, Facebook allows custom applications8 to be designed and hosted on one of its subdomain servers. This functionality has been used by attackers to host rogue applications on the Facebook domain to serve users with dedicated malware.
Exploitation of URL Shorteners and Hidden LinksAlthough URL shortening services9, 10 are used for URL optimizations in which a URL is compressed, this same tactic has been adopted by attackers to fool users because it is difficult to determine the actual URL of a compressed URL. Social networking web sites have adapted this functionality, and one can find shortened URLs on a day-to-day basis. This has become a problem, though, because attackers are utilizing these services to hide malicious links as part of the compressed URLs—users can be fooled without much complexity. As a result, phishing has become stealthier and the inherent redirection spreads malware at a more rapid rate.
As discussed previously, it is hard to make social networks completely secure. The potential risk of spreading malware is ever increasing.11 The major factor that contributes to this process is user ignorance regarding the technology used on social networking web sites.
The threat factor becomes high when user ignorance combines with the tactics presented. As a result, user privacy and information are at high risk. Identity scams may not only result in reputational damage12 to an individual online, but they may also influence the stature of an individual’s “offline” social life.
Social networking web sites can apply controls to a certain extent, but it is difficult to provide knowledge to users about the authenticity of the hyperlinks posted to the messaging walls of their profiles. Theft of sensitive information and data can result in credit card frauds and unwanted banking transactions. The risk of compromising the user systems becomes high when a malicious binary is downloaded by clicking a hyperlink on a social networking web site. The infection entry point is the social networking web site; the infection then penetrates the user machine. The risk increases based on the user environment, such as a home personal computer (PC) or an organization-owned machine.
Organizations that use social networking web sites to advertise their products are also at a high risk when a worm outbreak occurs to spread malware across a social network, which could result in the defamation of the organization’s brand and can hamper the business to a wider extent than expected. The risks posed by social networking web sites are becoming harder to conquer.
Considering the nature of web malware in social networking web sites, it is hard to make the networks foolproof. However, the impacts can be reduced to some extent by complying with the following recommendations:
Social networks have given birth to new types of elemental relations among various entities in the online world. The social networking world is virtualized in nature, but it has real-time impacts on the lives of individuals. Since these networks are part of the online world, they are not untouched by the threats and flaws present on the World Wide Web. Security and privacy are considered basic elements for effective social networking; however, the aim of web malware is to infect users and steal information by exploiting various vulnerabilities through attacks in social networks. User ignorance is a big factor in the spread of malware and is quite hard to patch. It is hard to expect robustness from a user’s perspective; rather, it has to be an inbuilt nature of social networking web sites.
1 Sophos, “Malware and Spam Rise 70% on Social Networks, Security Report Reveals,” UK, 1 February 2010, www.sophos.com/pressoffice/news/articles/2010/02/security-report-2010.html2 Gallagher, Sean; “Social Networks a Magnet for Malware,” InternetNews.com, 17 February 2009, www.internetnews.com/bus-news/article.php/3803051/Social-Networks-a-Magnet-for-Malware.htm3 Miller, Chuck; “Malware Most Potent on Social Networks,” SC Magazine, 12 May 2009, www.scmagazineus.com/malware-most-potent-on-social-networks/article/1366594 Ferguson, Rik; “New Variant of Koobface Worm Spreading on Facebook,” TrendLabs Malware Blog, 1 March 2009, http://blog.trendmicro.com/new-variant-of-koobface-wormspreading-on-facebook5 Miller, Chuck; “Twitter Worm Underscores Socialnetworking Vulnerabilities,” SC Magazine, 13 April 2009, www.scmagazineus.com/twitter-worm-underscores-socialnetworking-vulnerabilities/article/1305626 Howes, Eric L.; “The Anatomy of a ‘Drive-by-Download’,” www.spywarewarrior.com/uiuc/dbd-anatomy.htm7 Facebook developers, “Facebook Markup Language (FBML),” Facebook, http://developers.facebook.com/search?q=FBML8 Facebook; “Application Directory,” USA, www.facebook.com/apps/directory.php9 bit.ly, USA, http://bit.ly10 Tiny.cc, http://tiny.cc11 Op cit, Sophos12 Visit Vail Valley Blog, “Sherman & Howard Business Law Advisory: Internet Employment Scams Jeopardize Both Employers and Prospective Employees,” Vail Valley Partnership, 17 August 2010, http://blog.visitvailvalley.com/public/blog/258101
Aditya K. Soodhas more than five years of experience in computer security and has worked in the security domain for Armorize, COSEINC and KPMG. He is founder of SecNiche Security, an independent security research firm. Sood has been an active speaker at various conferences, has written content for numerous journals and magazines, and is a Ph.D. candidate in computer science at Michigan State University (USA). Sood can be contacted at firstname.lastname@example.org.
Richard Enbody, Ph.D.is an associate professor in the department of computer science and engineering at Michigan State University. His research interests include computer security, computer architecture, web-based distance education and parallel processing. Enbody has two patents pending on hardware buffer-overflow protection that are intended to prevent most computer worms and viruses. He is the coauthor of The Practice of Computing Using Python.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.