By

Social Networks & Social Engineering – Twitter Round 2

Continuing on from Round 1, I decided to take a step further and show you exactly how susceptible you are to a socially engineered infection through Twitter. Actually it’s more an attack through TinyURL.com, but since Twitter automatically converts URLs in your Tweets (ugh!), it is an attack via Twitter.

For this example, let’s say that a hacker wants to construct a website that references some research on Harvard’s website. It would be on a topic that is of high interest at the moment.

First the hacker (cybercriminal) would use Google Trends (www.google.com/trends) to see what’s hot. As of today (03/02/2009) the list is as follows:

  • granville waiters
  • nyc doe
  • wavy tv 10
  • new york city department of education
  • dr. seuss birthday
  • opm.gov
  • wvec
  • nyc public school closings
  • nyc board of education
  • newport news public schools

These are the top 10.

Nothing in there that is really eye catching that covers a broad scope of people. I’ll use dr. seuss birthday.

Our cybercriminal would construct some basic information about how Harvard University has created this research paper detailing the events behind Dr. Seuss stories. Our cybercriminal needs to have something that already indicates some legitimacy and some validation. For this scenario I’m using Harvard University for 2 reasons; they already carry a huge credibility factor and they have a cross-site scripting (XSS) vulnerability that let’s me use their URL for redirection.

The cybercriminal would take the XSS URL and instead of redirecting the reader to another page inside of Harvard’s website, use it to redirect the unsuspecting reader to their malicious website.

Here is the original URL: http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=

By appending any URL we want to the end of the above string, it will look like we’re sending you to harvard.edu, however, this vulnerability will actually take you somewhere else.

For instance, if I wanted to send you to my website I would use:

http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=http://www.wewatchyourwebsite.com

Go ahead and click on that and you’ll see what I mean.

Now, that’s not too bad. I if showed you that link in an email or on my Twitter account, you might not see the end of the URL and just click on it to see what Harvard has to say about Dr. Seuss.

But remember that Twitter uses TinyURL.com which converts any long URLs into “tiny” URLs. Plugging that long URL into TinyURL.com’s website it gives me:

http://www.tinyurl.com/av46js

With TinyURL.com’s preview function I could see the exact URL of the above TinyURL. Maybe you’d see the redirection at the end and maybe not.

Now, our crafty cybercriminal knows that TinyURL.com has this preview function, so he (we’ll assume a male hacker) converts the URL of his malicious website to one you can’t recognize. This is called URL obfuscation (I love using that word).

This would take my URL of http://www.wewatchyourwebsite.com and convert it to: %68%74%74%70%3a%2f%2f%77%77%77%2e%77%65%77%61%74%63%68%79%6f%75%72%77%65%62%73%69%74%65%2e%63%6f%6d

If you saw this by itself, hopefully you’d be suspicious and avoid the urge to click on it. However, when used at the backend of an already long URL, you might just throw caution into the wind and click away.

Our Harvard URL would become:

http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=%68%74%74%70%3a%2f%2f%77%77%77%2e%77%65%77%61%74%63%68%79%6f%75%72%77%65%62%73%69%74%65%2e%63%6f%6d

Which when converted to a TinyURL.com would result in: http://tinyurl.com/bnq5ej

Go ahead and click on that to see what I mean. As of today, that XSS on Harvard’s site has not been fixed so it will load their frame, but inside will be our home page. Keep in mind that even with TinyURL.com’s preview function, you would only see the obfuscated URL with all the percent signs. This might give you a false sense of security and decide to trust your “gut” and go for it. That’s what the cybercriminal is hoping for.

Obviously our website isn’t going to infect your computer, however, if the redirection URL were to take you to the cybercriminals infectious webpage, you’d be infected and not even know it.

To recap, the purpose of this information is to show you the steps a cybercriminal would follow to use social engineering to spread their malware. They would use Google Trends to find a hot topic, they would use the credibility of some other site, Harvard in this example, they would use obfuscation to hide their work from people who know what to look for and they would use Twitter or some other social networking site to find as many people as they could.

As stated earlier, this isn’t so much a vulnerability of Twitter as it is with TinyURL.com, but since Twitter uses TinyURL.com, it does reflect back on them.

Any comments, questions or remarks? Please post them (unless it’s SPAM).

By

Social Networks & Social Engineering – Twitter Round 1

My first review will be Twitter. I selected Twitter because it’s widely used and even easier for social engineering than some of the others.

First a little background on Twitter. Many people categorize Twitter as a “micro” blog. This means you can post short (140 character) messages that communicate your current thoughts, actions, wants or needs.

From their website Nicholas Carr describes it as “the telegraph system of Web 2.0” while the New York Times states, “It’s one of the fastest growing phenomena on the Internet.”

The first thing I noticed about Twitter is that most links posted by members are the shortened version of a full URL. Some of the more populare sites for these services are:

  • TinyURL.com
  • bit.ly
  • get-shorty.com
  • SnipURL.com

These services take a URL like: http://www.wewatchyourwebsite.com/defacements/HackedByAL-GaRNi-sample-2.jpg and convert it to something like: www.tinyurl.com/88888

Using these shortened URLs on Twitter allows members to include some description with their link.

I’ve always had a problem with these shortened URLs. Having seen numerous SPAM messages with embedded shortened URLs in order to evade detection, I set out to investigate further.

You never know what the ultimate destination is when clicking on these links. You could easily be led to an infectious webpage. Infectious websites are one of the most popular tactics of cybercriminals to deliver their malware.

I scanned our SPAM traps for messages that included these shortened URLs. I used one of our secured systems to see where these links ultimately delivered my browser.

Much to my surprise, all of the links that used TinyURL.com delivered the following message:

“The TinyURL (shows link) you visited was used by it’s creator in violation of our terms of use. TinyURL has a strict no abuse policy and we apologize for the intrusion this user has caused you. Such violation of our terms of use include:

  • Spam – Unsolicited Bulk E-mail
  • Fraud or Money Making scams
  • Malware
  • or any other use that is illegal”

This tells me that they’re either policing their links or that they actually take action on misuse of their service – this is awesome. I suggest that before clicking on any TinyURL, replace tinyurl.com with preview.tinyurl.com. For instance if you see a link like: http://www.tinyurl.com/8888, before clicking on it, change the URL to: http://preview.tinyurl.com/8888. The resulting webpage will show you exactly where the link will take you with a link that says, “Proceed to this site.”

I know this is somewhat of an inconvenience, but so is having your PC sending millions of SPAM messages after you’ve been added to a huge botnet.

You see, with any security situation, you always have to consider the risk involved when the potentially weakest link is the responsibility of someone else.

With these shortened URLs, you’re depending on the URL shortening service to provide you with some level of protection.

One other service I investigated, SnipURL.com clearly states on their website:

“SnipURL has a number of operational functions in place to protect the confidentiality of information. However, perfect security on the Internet does not exist, and SnipURL does not warrant that its site is impenetrable or invulnerable to hackers.”

At least they admit that perfect security does not exist, but don’t think that you’re safe clicking on a shortened URL link.

I believe that any free service is going to be exploited by cybercriminals. I’ve seen many times where even fee based services are abused by cybercriminals.

You had better fully trust the person or organization behind the Twitter posting before you blindly click on a shortened link on their site – because you’re either relying on the poster or Twitter. If that little bird in your head is telling you to be careful, you shouldn’t be clicking on it no matter how important you think it might be.

Have you had situations of a security breach on Twitter? If so, let us know by posting a comment.

By

Malware and Internet Marketing Methods

Everyone knows that in order to be successful online you have to have visitors and buyers – makes sense right?

In working toward getting this site more visitors and thus more buyers (clients) I’ve studied many of the methods that some of the top Internet Marketing people have promoted. Building a community of readers is one way of getting and keeping visitors.

People like Frank Kern, Jeff Walker and many others promote using Web 2.0 to promote your site. They recommend and use sites like Twitter and Facebook. I’ll admit to having an account on both sites and I try to make some worthy posts on both, however, the security gnome inside me keeps wondering how safe are these sites. Okay, there’s no wondering, I know how safe they aren’t.

I personally know of many people who have been burned by fake emails purporting to be from someone they know, or someone who found them on Facebook, telling them to view a video online or view a document online only to fall victim to this social engineering tactic and become infected. When you see the amount of infected websites that I see everyday, you might be less likely to just click on any website.

For instance, Twitter has a message size limit of 141 characters. Many people will post a link on when they “Tweet” (ugh!). Often times, I’ve seen postings that use tinyurls. This is a service that allows you to place a very long URL into a shortened version that links directly to www.tinyurl.com, which then redirects you to the original link. Any cybercriminal could use this same service (and has) to masquerade their intended infectious website.

You see cybercriminals are extremely intelligent and crafty. They go where the masses go. If everyone’s going to Facebook, cybercriminals will be all over that site trying to find ways to use Facebook’s strengths to exploit the weakest link in any security strategy – human curiosity.  I’ve seen emails with wording like, “Unless you really need to (fill-in the blank) , please don’t click on this link as we can only handle a certain amount of traffic.” And I’m sure they get a lot of people clicking on that link just because they want to know what’s on the other side.

I can’t emphasize it enough. You have to be wary of every email you get that looks like it’s from some social networking site. Every email.

While I agree with Frank Kern and Jeff Walker about using Web2.0 tools to promote your site, I also worry about all those unsuspecting Internet Marketing rookies that will undoubtedly fall victim to some scam running on one of those sites.

Back in December 2008, Facebook users were subjected to the Koobface worm. This worm infected many by sending bogus emails to Facebook users taunting them with subject lines like; “Check you out in this video”. When the user clicks on the link in the email, they’re either redirected to a malware delivery site, or told they need to download a file in order to view the video. The file downloaded is the infection.

Many Facebook walls had these same malicious links posted so anyone who visited that persons profile would at least be presented with the infectious offering.

In January of 2009, users of the social networking site LinkedIn were subjected to bogus profiles of some top name celebrities. Names such as: Beyonce Knowles, Victoria Beckham, Christina Ricci, Kirsten Dunst, Salma Hayek and Kate Hudson were among the list of stars with bogus profiles. People clicking on these sites were offered various temptations – each one an infectious present.

Anyone else have any stories about someone falling victim to a social networking, socially engineered attack?

Leave a comment if you have one.