By

Social Networks & Social Engineering – Twitter Round 1

My first review will be Twitter. I selected Twitter because it’s widely used and even easier for social engineering than some of the others.

First a little background on Twitter. Many people categorize Twitter as a “micro” blog. This means you can post short (140 character) messages that communicate your current thoughts, actions, wants or needs.

From their website Nicholas Carr describes it as “the telegraph system of Web 2.0” while the New York Times states, “It’s one of the fastest growing phenomena on the Internet.”

The first thing I noticed about Twitter is that most links posted by members are the shortened version of a full URL. Some of the more populare sites for these services are:

  • TinyURL.com
  • bit.ly
  • get-shorty.com
  • SnipURL.com

These services take a URL like: http://www.wewatchyourwebsite.com/defacements/HackedByAL-GaRNi-sample-2.jpg and convert it to something like: www.tinyurl.com/88888

Using these shortened URLs on Twitter allows members to include some description with their link.

I’ve always had a problem with these shortened URLs. Having seen numerous SPAM messages with embedded shortened URLs in order to evade detection, I set out to investigate further.

You never know what the ultimate destination is when clicking on these links. You could easily be led to an infectious webpage. Infectious websites are one of the most popular tactics of cybercriminals to deliver their malware.

I scanned our SPAM traps for messages that included these shortened URLs. I used one of our secured systems to see where these links ultimately delivered my browser.

Much to my surprise, all of the links that used TinyURL.com delivered the following message:

“The TinyURL (shows link) you visited was used by it’s creator in violation of our terms of use. TinyURL has a strict no abuse policy and we apologize for the intrusion this user has caused you. Such violation of our terms of use include:

  • Spam – Unsolicited Bulk E-mail
  • Fraud or Money Making scams
  • Malware
  • or any other use that is illegal”

This tells me that they’re either policing their links or that they actually take action on misuse of their service – this is awesome. I suggest that before clicking on any TinyURL, replace tinyurl.com with preview.tinyurl.com. For instance if you see a link like: http://www.tinyurl.com/8888, before clicking on it, change the URL to: http://preview.tinyurl.com/8888. The resulting webpage will show you exactly where the link will take you with a link that says, “Proceed to this site.”

I know this is somewhat of an inconvenience, but so is having your PC sending millions of SPAM messages after you’ve been added to a huge botnet.

You see, with any security situation, you always have to consider the risk involved when the potentially weakest link is the responsibility of someone else.

With these shortened URLs, you’re depending on the URL shortening service to provide you with some level of protection.

One other service I investigated, SnipURL.com clearly states on their website:

“SnipURL has a number of operational functions in place to protect the confidentiality of information. However, perfect security on the Internet does not exist, and SnipURL does not warrant that its site is impenetrable or invulnerable to hackers.”

At least they admit that perfect security does not exist, but don’t think that you’re safe clicking on a shortened URL link.

I believe that any free service is going to be exploited by cybercriminals. I’ve seen many times where even fee based services are abused by cybercriminals.

You had better fully trust the person or organization behind the Twitter posting before you blindly click on a shortened link on their site – because you’re either relying on the poster or Twitter. If that little bird in your head is telling you to be careful, you shouldn’t be clicking on it no matter how important you think it might be.

Have you had situations of a security breach on Twitter? If so, let us know by posting a comment.

By

Social Networks & Social Engineering – What a Pair

When we started this service we knew that one of our main goals was to “get the word out” on how websites have been in the line of fire for cybercriminals. We published a report, “How Cybercriminals Use Your Website to Distribute their Malware”, but found not many people were interested in what we had to say. We blamed on it “head in the sand” mentality.

We looked to the Internet Marketing world to see how they do it. Some of them have actually sold thousands of e-books for as much as $27 a piece. They must know some secret that we didn’t.

Our studying introduced us to the works of some big name Internet Marketers (IMers). Names like Frank Kern, Jeff Walker, Brian Clark, Yanik Silver and many others all seemed to resonate one key strategy – build community. On of their favorite strategies is using social networks to build this community of loyal followers.

I shouldn’t say it’s one of their strategies, it’s one of their tactics. Their strategy is to always provide something of value. The social networks is just one way they suggest you use to distribute your valuable message.

Using social networks seemed like a great idea so I set out to explore this value distribution tactic. I did this with my ever present security guard on – that’s how I roll.

My exploration included sites like: Twitter, MySpace, Facebook, LinkedIn and FastPitch.

Over the next few weeks I’ll be revealing my findings and then suggest ways (tactics) you can protect your informational assets while taking advantage of social networks.

I titled this posting “Social Networks & Social Engineering – What a Pair” because many of the tactics of cybercriminals revolve around social engineering which is the art of deceiving others into clicking on a link that you think is safe.

As I write this, I’ve been bombarded with emails about people who received errors while trying to view your profile on Facebook. What happens is when someone clicks on your profile they get an error saying that they could find out the problem by installing the “Error Check System”. You’ll get notifications that “X” number of people have been getting errors while viewing your profile and this “application” will help you determine the cause.

If you Google “Error Check System” Facebook, at least one of the links takes you to an infectious website that will display a message telling you you’re infected with a virus and offers to scan your system. Of course, this is a social engineering attempt. If you agree to the scan, you’ll be downloading a virus. This has been a very popular tactic of cybercriminals lately. They have even started creating websites that offer reviews of anti-virus software – more social engineering, to earn your trust.

I thought the timing of this Facebook “Error Check System” scam was perfect for me to start this series.

Come on back and read the follow-ups.

If you’ve had any experiences with one of the social networking sites, post a comment and let us know.

By

Malicious PDF's being sent

In the past 2 days we’ve been picking up malicious Adobe Acrobat files also known as PDF’s (the file extension on these files).

We received these files in our honeypots as email attachments and when clicked on they infect Windows XP SP3 systems with Adobe Acrobat 8.1.1, 8.1.2, 8.1.3 and 9.0.0. It appears that disabling JavaScript in your Adobe Acrobat Reader will eliminate the threat that this attack exploits.

To disable JavaScript in Adobe Acrobat Reader, open the program, click on Edit->Preferences->JavaScript then uncheck Enable Acrobat JavaScript. You may experience some program crashes even with JavaScript disabled, however, you will not become infected.

When a computer is infected, it will have these additional files:

  1. temp/svchost.exe
  2. temp/temp.exe
  3. system32/(8 random characters).dll

In addition the infected computer will open a backdoor that will allow the cybercriminal to remotely control the PC (it will become part of a botnet)

Of course, if you’re security system is blocking “exe” downloads from non-whitelisted sites, you don’t have worry about this. (The Box does)

By

Website used by Federal Government Hacked!

It was discovered that GovTrip.com, a website used by federal government employees for booking travel reservations was hacked and serving up malicious code through redirects.

The site is currently unavailable as they perform their forensic investigation and clean up the mess.

According to reports, “sometime” before February 11th, cybercriminals compromised the site and inserted redirect code that sent visitors to a website serving up malicious code. The site is used by such government agencies as: the US Environmental Protection Agency, departments of Agriculture, Energy, Health and Human Services, Interior, Transportation and Treasury.

The website is also used to reimburse employees for travel expenses so all sorts of information is stored there, however, it is not yet known what information was compromised during this breach. I personally don’t think the cybercriminals would have done both – insert redirect code and steal the data available. If the cybercriminals thought the data was valuable, they probably wouldn’t have risked inserting the redirect code as this could have, and did, alert others to the compromise.

The GovTrip.com website is managed by defense contractor Northrop Grumman.

The site had been blocked when the proper authorities were notified. Government agencies using the website were issuing warnings which could have only exacerbated the situation due to human curiosity. Frequently, when you tell a large number of people not to do something, you’re going to get a large percentage of those people to do exactly what they were told not to do.

Cybercriminals know this and use it all the time.

By

Malware and Internet Marketing Methods

Everyone knows that in order to be successful online you have to have visitors and buyers – makes sense right?

In working toward getting this site more visitors and thus more buyers (clients) I’ve studied many of the methods that some of the top Internet Marketing people have promoted. Building a community of readers is one way of getting and keeping visitors.

People like Frank Kern, Jeff Walker and many others promote using Web 2.0 to promote your site. They recommend and use sites like Twitter and Facebook. I’ll admit to having an account on both sites and I try to make some worthy posts on both, however, the security gnome inside me keeps wondering how safe are these sites. Okay, there’s no wondering, I know how safe they aren’t.

I personally know of many people who have been burned by fake emails purporting to be from someone they know, or someone who found them on Facebook, telling them to view a video online or view a document online only to fall victim to this social engineering tactic and become infected. When you see the amount of infected websites that I see everyday, you might be less likely to just click on any website.

For instance, Twitter has a message size limit of 141 characters. Many people will post a link on when they “Tweet” (ugh!). Often times, I’ve seen postings that use tinyurls. This is a service that allows you to place a very long URL into a shortened version that links directly to www.tinyurl.com, which then redirects you to the original link. Any cybercriminal could use this same service (and has) to masquerade their intended infectious website.

You see cybercriminals are extremely intelligent and crafty. They go where the masses go. If everyone’s going to Facebook, cybercriminals will be all over that site trying to find ways to use Facebook’s strengths to exploit the weakest link in any security strategy – human curiosity.  I’ve seen emails with wording like, “Unless you really need to (fill-in the blank) , please don’t click on this link as we can only handle a certain amount of traffic.” And I’m sure they get a lot of people clicking on that link just because they want to know what’s on the other side.

I can’t emphasize it enough. You have to be wary of every email you get that looks like it’s from some social networking site. Every email.

While I agree with Frank Kern and Jeff Walker about using Web2.0 tools to promote your site, I also worry about all those unsuspecting Internet Marketing rookies that will undoubtedly fall victim to some scam running on one of those sites.

Back in December 2008, Facebook users were subjected to the Koobface worm. This worm infected many by sending bogus emails to Facebook users taunting them with subject lines like; “Check you out in this video”. When the user clicks on the link in the email, they’re either redirected to a malware delivery site, or told they need to download a file in order to view the video. The file downloaded is the infection.

Many Facebook walls had these same malicious links posted so anyone who visited that persons profile would at least be presented with the infectious offering.

In January of 2009, users of the social networking site LinkedIn were subjected to bogus profiles of some top name celebrities. Names such as: Beyonce Knowles, Victoria Beckham, Christina Ricci, Kirsten Dunst, Salma Hayek and Kate Hudson were among the list of stars with bogus profiles. People clicking on these sites were offered various temptations – each one an infectious present.

Anyone else have any stories about someone falling victim to a social networking, socially engineered attack?

Leave a comment if you have one.

By

Anti-virus companies get hacked

I was going to avoid jumping on the bandwagon of blasting the anti-virus companies for getting their websites hacked, but another vulnerability was just exploited so I can’t hold back any longer.

If you’ve followed any of my talks, presentations, rantings or other communications, you know that I’ve never been a big fan of relying solely on anti-virus (AV) for computer security. I’ll admit it’s a necessary layer of protection, but too many times I’ve seen infected computers where the owner relied solely on a “firewall” and AV for their protection. However, cybercriminals have known for some time how to bypass detection by AV software.

Just today, BitDefender was compromised by Romanian hackers. This is second time in a week they’ve come under fire by hackers who have publicly announced their accomplishments.

Kaspersky Lab was the victim of a SQL injection attack recently which left their customer data exposed for 11 days. While a forensic analysis showed that none of the data was actually breached, it was available for 11 days.

Also last week, F-Secure, another AV company was successfully breached by SQL injection – although the data that became available was already in the public domain.

Isn’t there some old saying about the shoemaker’s son not having good shoes, or something like that.

One has to wonder, if a company dedicated to computer security is successfully breached, what does that mean for the rest of us?

Post your comments on what you think about these security breaches.