Tuesday, November 23, 2010

A new strategy for social network spammers?

As is obvious to whoever surfs in the social media world, Spam on social networking sites is on the rise. As we show in our latest paper, malicious users leverage the ease of reaching thousands of users these platforms provide to deliver their messages to as many people as possible. In addition, the personal information that's available through social networks allows spammers to target their campaigns to those users that are more likely to fall for them. In our paper, we show how adult dating spam on Facebook mostly targets male users. However, most spam campaigns, both on Twitter and on Facebook, are pretty easy to detect, and the profiles that carry them out get shut down fast. The reasons are mainly two: the first one is that spammers activity differs quite a lot from human one, and this make detection of spam profiles possible. The second one is that spam bots generally target their victims randomly, and this produces social graphs that are very different from the ones of real people (that, in general, have a very dense "core" of mutual friends in their graph).
Of course, spammers are coming up with smarter solutions, that make detection harder. Since a few months, I noticed spam profiles on Twitter contacting only people that are linked together. This can easily resemble a real social graph, and from one side makes detection harder. On the other hand, this technique attracts more victims, since people are more likely to befriend somebody if this person is already friend with many of their friends (expecially if it is a cute girl... you get it.). Given these observations, I started wondering how much effort it would take for somebody to create a profile, "merge" into a real social network by contacting people that are linked together, and, after having a few hundreds friends, start spamming. 
To check this, I created a fake Facebook profile, and started contacting some people that were connected together. A boost to this process is given by the fact that some people will accept any request they receive, and this would not only increase the number of friends the bot has, but would also attract friend requests, since the fake profile will start appearing in others' profiles as a suggestion. After having collected a decent amount of friends, say 30, it has been enough to sit down and wait for a while. People started asking friendship on their own, and all the bot had to do was accepting these requests. In a bit more than one month, the bot collected 375 friendships on Facebook. This is an order of magnitude higher than the number of friends reached, on average, using random targeting by the spammers we monitored for our previous paper. Needless to say, the spam or automatic activity detection algorithms of Facebook failed. Time for better anti-spam techniques?

Monday, October 11, 2010

What Spam is out there?

More than 90% of world's email traffic is spam, or at least so they say. We don't see most of it, because it gets filtered by services such as spamassassin, spamhaus, or gmail itself. However, sometimes a message makes it to our inbox. Normal people just delete these messages (some of them actually fail for the scams that are contained in them and buy the advertised stuff), but for security researchers it is also intersting to understand where there messages are coming from. Nowadays, most of the spam is sent by botnets. Infected computers from all over the world get orders from their Command and Control servers, and start sending unwanted emails. Compared to traditional spam, which is carried out by dedicated servers, this approach has the advantage to make it hard the blacklisting of the spamming IPs.
Currently, 4 botnets are responsible for the majority of the worldwide spam: rustock, lethic, megaD and cutwail. Let's see what kind of spam these four botnets send out.
Rustock is suposedly the largest, or at least the most active, spamming botnet out there. A recent research shows that it is responsible for 39% of worldwide spam. This botnet is one of the most sophisticated regarding to packing its e-mails to avoid detection. For example, at the end of the subject line they always put some random text fetched from wikipedia. This botnet is mainly sending out Viagra-related spam, with subject lines of the form dear xys, get 80% off all prices. The body of the email usually contains a fake newsletter, with a link pointing to an online pharmacy. Below is an example of such an email.

Lethic is quite large too. This botnet has a fairly specific behavior while packaging its e-mails. It merges together different words, or it mispells common spam keywords to avoid detection. Lethic seems to be running three campaigns. The first one is a drug campaign.  The subjects of the mails belonging to this campaign contain words such as QualityMedications, MaleEnhancement, WithoutPrescription.  The second campaign run by lethic is a replica watch one. The subjects of the mails in this case contain words such as Rep1caWatch and Bvlgari. The third campaign aims to sell proprietary sotware for cheap. Common keywords here are OemSoftwares and Adobe.
Cutwail is another large botnet. As for lethic, they run a cheap drugs / Viagra campaign, but this botnet seems to be focused on phishing scams. In our test setup we observed malware samples belonging to this botnet to send out fake Facebook requests, Amazon and UPS confirmation e-mails, and, more recently, LinkedIn related e-mails. All these e-mails contain links to a fake login page, aiming to steal victims' login credentials.
Below is an example of a phishing e-mail sent by cutwail.

The last large spamming botnet is MegaD. This botnet is sending out male enhancement related emails, but it is easily recognizable from the other ones because of the funny subjects the emails are shipped with (Immense manhood without problems, Eldorado of ero-cures).

Monday, September 20, 2010

Malicious URLs in Twitter

Social networks are for sure good for keeping in touch with friends and staying informed. However, they also are a terrific starting point for attacks. Malware such as koobface used it as a base for spreading, leveraging the fact that users seems to be not to be aware about threats on these platforms as they are for the ones on traditional e-mail or web, as showed on this recent paper
Twitter isn't immune from this trend. For malicious users is very easy to create tweets containing bad links, and these messages are very easy to spread, without any need to set up complicated infrastructure such as the ones required for e-mail spam. To fight this trend, the Twitter crew started filtering the links contained in all the tweets, routing them through a wepawet-like service, able to detect the malicious ones and prevent harm to be caused to the users who click on them  (see this blog post by Twitter for details) 
 However, vulnerabilities are hidden everywhere, and sometimes they are so evident that nobody thinks about them. Look at  this status message. There are no links in the tweet, therefore the twitter screening procedure doesn't even get triggered. However, a malicious link might be hidden somewhere else: each tweets contains a "via <someapp>" link, where <someapp> points to a link specified by the application developer. It turns out that these links are not checked, and therefore might point to malicious sites trying to exploit the user's browser. In the example tweet above, the application link has been set to a page identified by wepawet as malicious.
This flaw has been discovered by Manuel Egele and Thorsten Holz, two researchers of our group, during a project on Twitter security. We alerted the Twitter folks, and they reacted quickly. They ensured us that they started queuing the app links to their malicious URL detection system, therefore the issue should be fixed.
Always think twice before clicking on a link on any social network. If you are looking for a tool helping you in detecting malicious links before clicking on them, check longSHORE.