bsides sanders/allen
DESCRIPTION
BsidesROC PresentationTRANSCRIPT
A measure of human susceptibility
Zack Allen, Security/Research Engineer, ZeroFOX
Chaim Sanders, Security Consultant, Cigital
Overview
Disclaimer
Motivation
Background
Infrastructure & Process
Results/Forecast
Disclaimer
The views, opinions and research expressed in this presentation are those of the authors and do not reflect the official policy or position of their employers
Motivation
Motivation
Background
From 2008 to 2013.. [1]
LinkedIn 33 million 225 million
Twitter 6 million 232 million
Facebook 100 million users Over 1 billion
Background
Data breaches 2012-2013
Linkedin [2] 8 million passwords leaked No salt
Twitter [3] 250k user accounts hacked ‘Not the work of amateurs’
Facebook [4] 318,000 stolen creds Virus capturing login info via keylogger C&C in the Netherlands
Background
What to tell your boss/employees/family to resolve social media attacks? Block Facebook,Twitter,LinkedIn?
Background
Social Media – 2014 is here, lets get with the times
LinkedIn study [5] 1,000 Small to Medium businesses interviewed ($1mil to
$50mil) Asked questions on impact of social media to their business
Results: 81% use social media to drive growth 9% are looking into using it in the near future 94% use social media as a social marketing tool 49% for educational purposes
Background
Using social media does open you up to some pretty ridiculous attacks
Background
Focus on Twitter: 2 types of attacks Waterhole, phishing
Mediums Hashtags, DM Direct tweets, retweets External link via link shortener (bitly, goo.gl)
Best way to do it? Assumption: Vladimir the Russian Cyber Criminal automates his Twitter
bots via an app Assumption: Vladimir keeps it sexy.. he uses sexy girls and guys that post
racy tweets to get people to connect to his website that dishes out the latest Java exploit kit
Background
Background
Background
Sex sells! 0 followers Automated tweets targeting:
#sex #porn etc Bit.ly links
Some stats.. 51k clicks as of 2 April 1.2m clicks total to website Smokinbabe56.vielo.com
Background
Project ‘Flock’ Get users to flock to our own webserver Use sexy profiles, link shorteners and bots to distribute our URL Mask the hashtag attacks by tweeting at random intervals throughout the day
Once they connect Record geolocation, machine details Redirect to Twitter
Campaigns Issue command to bot head via IRC C&C with a URL to shorten to start a series of
tweets Pull top N trends, hashtag them with shortened link
Results Identify most successful profiles, tweets, links Help defend against them
Prepping Twitter – Don’t get banned!
Twitter ToS – ‘Following rules and best practices’: We do not monitor the amount of people that follow
you We do monitor how aggressively users follow other
users ‘Aggressive Following’
Tweets Follow a human schedule Build a rapport with Twitter – randomize!
Legitimacy Profile picture Email address
Build Twitter Profile - < min
Build your botnet– non-attribution
Twitter falloff
It turns out people only like shiny new things We need more than one tweet
Collecting Data
Wouldn’t it be nice to use google analytics? Well Yes… but that’d be bad
Why not open source? Piwik Easily extensible, already does detection of frameworks
Make sure to get GeoIP pack
Infrastructure
Dell Poweredge 9200 Proper firewall, clean Apache 2.4.9, mod_security
How do you secure a malicious page Look at examples?
Leaked Zeus source… not well KISS – keep it simple stupid
It crashed, the problem with traveling… AWS… put it in the cloud man
What’s Our website?
$( document ).ready(function() {
$("#check").load(function() {
window.location.href = “<?php echo $_GET[‘redirect’] ?>";
});});
<img id=“check" src="http://ec2-54-81-73-176.compute-1.amazonaws.com/piwik/piwik.php?idsite=2&rec=1" style="border:0" alt="" />
Lets take a look at Piwik
Results
Who clicks on links?
Browser distribution Twitter has a rather smart browser base
Not to many IE 6’s in there
We can to some extent detect many crawlers of Twitter based on their hosting provider…. Who uses ec2 to browse?
So its phishing….
How effective was our phishing… eh… Compared to a Nigerian prince… better It is fairly anonymous and hard for victims to identify
But what about more direct phishing The social network equivalent of spear phishing Hashtag hijacks DM Targeted hashtags:
#Mcafee #secchat #Thevoice #yourcompanyhere
Next steps
Facebook Just steal a video from reddit 47 visits in an hour
MORE BOTS! Hundreds under one app Multiple apps
Be more clever-er Automation of flock for specific campaigns Targeted, spray and pray
Early Facebook Thoughts
It seems that many more people will access links from Facebook via phones
Its easy to coerce Facebook’s preview page. It will always grab the first image It will always take the title It does not evaluate JavaScript (fortunately)
It seems on Facebook that everyone will watch videos of girls Or maybe my friends just roll that way
More next steps
Add more Twitter followers
Cross advertise Advertise between Facebook, G+, Linkedin, twitter See how big we can build it
Try and discern metrics beyond just regional and effectiveness
Contact
Zack @teachemtechy www.zerofox.com www.github.com/zmallen
Chaim www.chaimsanders.com