With the advent of social networks, the online world has become a virtual society. Social networks serve as seamless communication channels, but at the same time they are ideal launch pads for malware infections. As a result there has been a tremendous increase in the dissemination of malware infections through social networks. The security and privacy mechanisms of social networks such as Twitter and Facebook have proven insufficient to prevent exploitation. As we know "To Err is Human," and human errors lead to exploitation and manipulation whether the social network is online or offline.
Exploiting Human Trust, Curiosity and Ignorance
Social networks hold a plethora of personal information on the users that form the network. Individual connections between users collectively form a web of connections. To build each link between users an implicit trust is required between the two users and implicitly across the entire network. Any information provided by an individual user through chained connections becomes a part of the full network. If an attacker is able to exploit one user in the social network, they have the potential to be able to push malicious content (such as malicious URL's) into the network. The connectivity of the network enables the spread of the exploitation. That is, the attacker exploits the weakest link in the chain. This exploitation process is aided by the inability of users (and their stored objects) to determine the legitimacy of content flowing through the social network. The infection process begins with the exploitation of human ignorance and curiosity followed by spreading of the infection through the trust upon which the network is based.
In order to start the exploitation process, an attacker can pick any issue that affects human emotions to drive the user in a social network to follow the path generated by the attacker. Topics such as weather calamities, political campaigns, national affairs, medical outbreaks and financial transactions are used for initiating infections. Phishing and spamming are used extensively for spreading messages on these topics with malicious intent. Basically, it is a trapping mechanism used by attackers to infect an entire online social network.
Exploit Mechanisms - The Art of Infection
Since social network exploitation begins by exploiting an individual user's trust, curiosity, or ignorance common attack strategies have emerged:
One of the simplest infection techniques is the injection of malicious URLs into a user's message wall. Since it can be difficult to differentiate between the legitimate URLs and illegitimate ones even a careful user can be tempted to click on the link. Unfortunately for the user, clicking the hyperlink can result in automatic download of malware from a malicious domain through the browser.
* Browser Exploit Packs (BEP) hold a number of browser-based exploits that are bundled together to customize the response to a victim. When a user visits a malicious domain, the BEP fingerprints the browser version and the related environment of the user machine. Based on this information, a suitable exploit is served to the user which exploits the integrity of that particular browser.
* Drive-by-Download attacks are triggered by visiting a malicious page. They exploit browser vulnerabilities in piugins and built-in components. Successful exploitation of the vulnerability results in the execution of shell code that in turn downloads the malware into the system. A variation of the Drive-by-Download attack is the Drive-by-Cache attack that can exploit browser cache functionality in order to execute malware.
The biggest problem with the online social networks is that they do not have sufficient built-in protection against malware. For example, current social networks do not scan the URL's and embedded content coming from third party servers such as Content Delivery Networks. Therefore, there is no mechanism to detect the authenticity of URL's that are passed as message content among the user objects in the online social networks. In addition, it is easy to upload malvertisements, and social networks fail to raise any warning. Online social networks are not harnessing the power of Safe Browsing API's from Google or similar services to instantiate a verification procedure before posting a URL back to a user profile. Lack of such basic protections is a key factor in making the social networks vulnerable to exploitation. Finally, many social network users are not knowledgeable enough to differentiate between real and malicious entities. Ignorance not only results in exploitation, but also greatly impacts the overall security of online social networks. Because of the high connectivity and need for trust in a social network users are particularly dependent on the built-in security features of online social networks, but the security features are not tough enough to thwart many malware attacks.
Robust security and privacy mechanisms are indispensable for safe online social networking. Built-in security is necessary because attackers exploit the trust, curiosity and ignorance to garner maximum profit. User awareness regarding security concerns is important but can only spread gradually, so social networks should be proactive and develop more sophisticated and stringent mechanisms to thwart malware infections. Safe and secure transmission of the information and robust user's privacy should be the paramount concern of the social networking companies.
Aditya K Sood is a regularly writes articles for the ISACA journal and is a senior security researcher and PhD candidate at Michigan State University.
Richard j. Enbody, Ph.D., regularly writes articles for ISACA Journal and is associate professor in the Department of Computer Science and Engineering at Michigan State University (USA) where he joined the faculty in 1987.
Aditya K Sood and Richard J Enbody - Regular contributors to the ISACA Journal