bsides sanders/allen

A measure of human susceptibility

Zack Allen, Security/Research Engineer, ZeroFOX

Chaim Sanders, Security Consultant, Cigital

Overview

Disclaimer

Motivation

Background

Infrastructure & Process

Results/Forecast

Disclaimer

The views, opinions and research expressed in this presentation are those of the authors and do not reflect the official policy or position of their employers

Motivation

Motivation

Background

From 2008 to 2013.. [1]

LinkedIn 33 million 225 million

Twitter 6 million 232 million

Facebook 100 million users Over 1 billion

Background

Data breaches 2012-2013

Linkedin [2] 8 million passwords leaked No salt

Twitter [3] 250k user accounts hacked ‘Not the work of amateurs’

Facebook [4] 318,000 stolen creds Virus capturing login info via keylogger C&C in the Netherlands

Background

What to tell your boss/employees/family to resolve social media attacks? Block Facebook,Twitter,LinkedIn?

Background

Social Media – 2014 is here, lets get with the times

LinkedIn study [5] 1,000 Small to Medium businesses interviewed ($1mil to

$50mil) Asked questions on impact of social media to their business

Results: 81% use social media to drive growth 9% are looking into using it in the near future 94% use social media as a social marketing tool 49% for educational purposes

Background

Using social media does open you up to some pretty ridiculous attacks

Background

Focus on Twitter: 2 types of attacks Waterhole, phishing

Mediums Hashtags, DM Direct tweets, retweets External link via link shortener (bitly, goo.gl)

Best way to do it? Assumption: Vladimir the Russian Cyber Criminal automates his Twitter

bots via an app Assumption: Vladimir keeps it sexy.. he uses sexy girls and guys that post

racy tweets to get people to connect to his website that dishes out the latest Java exploit kit

Background

Background

Background

Sex sells! 0 followers Automated tweets targeting:

#sex #porn etc Bit.ly links

Some stats.. 51k clicks as of 2 April 1.2m clicks total to website Smokinbabe56.vielo.com

Background

Project ‘Flock’ Get users to flock to our own webserver Use sexy profiles, link shorteners and bots to distribute our URL Mask the hashtag attacks by tweeting at random intervals throughout the day

Once they connect Record geolocation, machine details Redirect to Twitter

Campaigns Issue command to bot head via IRC C&C with a URL to shorten to start a series of

tweets Pull top N trends, hashtag them with shortened link

Results Identify most successful profiles, tweets, links Help defend against them

Prepping Twitter – Don’t get banned!

Twitter ToS – ‘Following rules and best practices’: We do not monitor the amount of people that follow

you We do monitor how aggressively users follow other

users ‘Aggressive Following’

Tweets Follow a human schedule Build a rapport with Twitter – randomize!

Legitimacy Profile picture Email address

Build Twitter Profile - < min

Build your botnet– non-attribution

Twitter falloff

It turns out people only like shiny new things We need more than one tweet

Collecting Data

Wouldn’t it be nice to use google analytics? Well Yes… but that’d be bad

Why not open source? Piwik Easily extensible, already does detection of frameworks

Make sure to get GeoIP pack

Infrastructure

Dell Poweredge 9200 Proper firewall, clean Apache 2.4.9, mod_security

How do you secure a malicious page Look at examples?

Leaked Zeus source… not well KISS – keep it simple stupid

It crashed, the problem with traveling… AWS… put it in the cloud man

What’s Our website?

$( document ).ready(function() {

$("#check").load(function() {

window.location.href = “<?php echo $_GET[‘redirect’] ?>";

});});

<img id=“check" src="http://ec2-54-81-73-176.compute-1.amazonaws.com/piwik/piwik.php?idsite=2&amp;rec=1" style="border:0" alt="" />

Lets take a look at Piwik

Results

Who clicks on links?

Browser distribution Twitter has a rather smart browser base

Not to many IE 6’s in there

We can to some extent detect many crawlers of Twitter based on their hosting provider…. Who uses ec2 to browse?

So its phishing….

How effective was our phishing… eh… Compared to a Nigerian prince… better It is fairly anonymous and hard for victims to identify

But what about more direct phishing The social network equivalent of spear phishing Hashtag hijacks DM Targeted hashtags:

#Mcafee #secchat #Thevoice #yourcompanyhere

Next steps

Facebook Just steal a video from reddit 47 visits in an hour

MORE BOTS! Hundreds under one app Multiple apps

Be more clever-er Automation of flock for specific campaigns Targeted, spray and pray

Early Facebook Thoughts

It seems that many more people will access links from Facebook via phones

Its easy to coerce Facebook’s preview page. It will always grab the first image It will always take the title It does not evaluate JavaScript (fortunately)

It seems on Facebook that everyone will watch videos of girls Or maybe my friends just roll that way

More next steps

Add more Twitter followers

Cross advertise Advertise between Facebook, G+, Linkedin, twitter See how big we can build it

Try and discern metrics beyond just regional and effectiveness

Contact

Zack @teachemtechy www.zerofox.com www.github.com/zmallen

Chaim www.chaimsanders.com