Social Networking | The Barracuda Labs Internet Security Blog

Archive for the ‘Social Networking’ Category

Barracuda Labs Releases 2011 Social Networking Security and Privacy Study

Wednesday, October 12th, 2011

By: Barracuda Labs

For Immediate Release

NINE OUT OF 10 PEOPLE ATTACKED AND ONE OUT OF FIVE PEOPLE DAMAGED BY PRIVACY LAPSE ON SOCIAL NETWORKS

Barracuda Labs Releases 2011 Social Networking Security & Privacy Study

View the Infographic – http://www.barracudalabs.com/SNS

View the Report – http://www.barracudalabs.com/SNSreport

Campbell, Calif. (Oct. 12, 2011) – Barracuda Labs today released its 2011 Social Networking Security & Privacy Study. The complete study and infographic can be seen at www.barracudalabs.com. Barracuda Labs is the research arm of Barracuda Networks Inc., the leading provider of security, application delivery and data protection solutions to businesses.

“Social networks are a significant part of how we communicate with one another. At the same time, the dangers associated with social networking have climbed exponentially,” said Dr. Paul Judge, chief research officer and vice president for Barracuda Networks. “The fact that nine out of 10 users already have been attacked proves that attackers are taking over social networks and users are living in fear.”

The study focuses on social networking usage, security and privacy, and is based on survey results from hundreds of users representing over 20 countries. The study was conducted over a two-week span between September and October 2011. Overall, users value security and privacy almost equally to popularity and ease of use. Major highlights from the study are included below.

Social Networking Usage

LinkedIn is the most accepted social network by businesses with only 20 percent of companies blocking or limiting its usage, as compared to 31 percent of companies that block or limit Facebook.

Social Networking Security

Nine out of 10 people have received spam, and one in four have received a virus or malware, on a social network.

Social Networking Privacy

One in five people has been negatively affected by information that was exposed on a social network.

2011 Social Networking Security & Privacy Study – Resources:

Infographic – http://www.barracudalabs.com/SNS

Report – http://www.barracudalabs.com/SNSreport

About Barracuda Labs

Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. Barracuda Labs’ threat research areas include email, Web, network and cloud security and technology. Barracuda Labs aims to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime.

About Barracuda Networks

Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats, as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

Posted in ID Theft, phishing, Research, Security, Social Networking, Spam, Statistics | No Comments »

Spam Legitimacy Through Url Redirection

Tuesday, August 9th, 2011

by Daniel Peck, Research Scientist

Usually relegated to little more than page filler on vulnerability assessment reports, open URL redirection is a vulnerability that doesn’t usually affect the site owner, but can be leveraged to add a sense of false legitimacy to spam and phishing links going through it. This is nothing new in the world of spam, but we haven’t seen a lot of it in social network spam until recently. What usually is easy for moderately savvy users to detect becomes much more difficult when shared through a Facebook link, which as we’ve seen before is trivial for malicious types to create with “likejacking” when an unsuspecting user visits their page.

In this particular case the spammer is leveraging an open redirect on news.bbc.co.uk, a site that most users would see as trustworthy to redirects to a site that is far from legitimate. It seems to only be being used to push users towards the typical affiliate spam that we often see with social network scams, but similar approaches could be very successful in a more malicious context. While it does not solve the redirection issue, one way to avoid the viral spread of these scams is to log out of social media sites like Facebook when you aren’t using them, as then you will be prompted to login if the page tries to post to your account. For more savvier users browser add-ons such as ShareMeNot and NoScript can be used to block access to Facebook resources from sites other than Facebook. From a developer perspective, to make sure that your sites aren’t being used to add false trust to spam campaigns redirects should be validated, and limited as much as possible through a list of whitelisted urls that are allowed to be redirected to, or an intermediary page advising the user of the redirection. For more information the the type of vulnerability itself and mitigations check out this great post from Googles Webmaster Central Blog.

Posted in Social Networking, Spam | No Comments »

Google+ Gets a “+1″ for Browser Security

Thursday, July 21st, 2011

by Ray Kelly, Manager of Client Side Technologies

Launching a new Web app today comes with a few certainties, and one of them is, “I will be a target for hackers” for sure. So when an app as large and as high profile as Google+ launches, it will surely be one of the top targets for malicious activity. This happened to Facebook the more popular it grew and it still is a favorite platform for malicious activity. I did some analysis of the HTTP traffic between Google+ and the browser and found that Google is off to a good start in regards to browser security. Below are several take-aways:

Only SSL!
All Google+ traffic is sent over SSL and non SSL is not even an option. This protects users’ traffic from getting sniffed and their sessions from being hijacked. It is good to know that Google understands that sensitive information is being shared and SSL is really the only option for transmitting data.

Secure Headers
Here is what a typical response looks like from Google+:
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 184942 Set-Cookie: ULS=somehash; Path=/; Secure; HttpOnly Date: Fri, 15 Jul 2011 14:29:05 GMT Expires: Fri, 15 Jul 2011 14:29:05 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE
There are a few headers in this response that are specific to browser security, for example:

Set-Cookie Secure – This tells the browser to only send cookies over a secure (SSL) connection. So if the site happens to hit a page that is not SSL, then the cookie will not be sent.

Set-Cookie HttpOnly – This prevents the cookie from being accessed by client side script.

Both of these cookie attributes help to prevent session hijacking by only sending cookies when appropriate.

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type. For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image. So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html.

X-Frame-Options: SAMEORIGIN – This tells the browser to only render frame pages from the URL hosting the main page. This prevents Clickjacking attacks against the user. Clickjacking is a browser-based attack that tricks the user into clicking on one thing but then performs a different action, such as following a user on Twitter.

X-XSS-Protection: 1; mode=block – This allows the browser to detect a cross site reflection attack. If the browser sees a potential reflection attack, it will prevent the page from rendering in the browser. Instead, you will see something similar to this depending on the browser:

What about Facebook?
While these preventions are by no means ground breaking or new, the fact that Google is thinking about and using them is a good step. In contrast, let’s look at a typical Facebook response:

HTTP/1.1 200 OK Cache-Control: public, max-age=604800 Content-Type: application/x-javascript; charset=utf-8 Expires: Fri, 22 Jul 2011 14:46:37 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY Set-Cookie: _e_syaN_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly X-FB-Server: 10.52.238.45 X-Cnection: close Date: Fri, 15 Jul 2011 14:46:37 GMT Content-Length: 24032

It is surprising that Facebook has not taken the same simple precautions that Google+ has taken. Here, we can see the differences:

	Secure Cookie	Nosniff	XSS Protection	X-Frame	HttpOnly Cookie	SSL
Google+	Yes	Yes	Yes	Sameorigin	Yes	Yes
Facebook	No	No	No	Deny	Yes	Optional and not default

In fact, just yesterday Microsoft’s Vulnerability Research team released advisory MSVR11-007: “Clickjacking Vulnerability in Facebook.com Could Allow Account Compromise”. According to the advisory, Facebook has resolved the issue. I did another check of the headers and still did not see any change to the response. It is possible that Facebook closed the hole on the server side with input validation in order to prevent the malicious data from entering their database, but they still did not implement the simple browser precautions that Google+ has. Here is the link to the official MSVR advisory:
http://www.microsoft.com/technet/security/advisory/msvr11-007.mspx

The folks from SecTheory/WhiteHat Security have an excellent write-up on Clickjacking. For detailed information on this vulnerability visit:
http://www.sectheory.com/clickjacking.htm

Conclusion
Unfortunately, not all of these headers are supported in all browsers, meaning any of you still using IE6 won’t be able to take advantage of these headers. What’s this mean for you? Make sure you are using an up-to-date browser to take full advantage of these protections.

Do these security measures make Google+ impervious to malicious activities? Absolutely not. Is it a good start? Yes, it is. And further, it is good to see an app make its debut with security in mind. It actually gives us Infosec folks a bit of hope that developers are listening and doing the right thing.

Tags: Facebook, Google+, Internet Security, Security, social networking security, Web Security
Posted in Internet Security Tips, Research, Security, Social Networking, Web Security | 9 Comments »

Fake Google+ invites used to harvest Facebook profiles

Wednesday, July 13th, 2011

by David Michmerhuizen – Security Researcher

A common denominator of Facebook scams is that they offer you something you can’t resist. Whether it be free Farmville coins, a ‘Dislike’ button, or just a girl in a short plaid skirt, if it’s desirable then you’ll eventually see it offered on Facebook as part of a scam.

And so it is with the latest must-have digital chotchka, an invitation to the new social networking offering from Google, Google+. Since Google’s new project is aimed squarely at Facebook you would hardly expect to see such invitations offered on Facebook, but that’s where they’re showing up

Google Plus invite in Facebook news feed

Clicking on one of these news feed items brings up an actual Facebook application page. These app pages are being taken down by Facebook and scammers are creating new ones, as seen here:

Facebook fake Google plus invite application

The reason for selecting an application for this scam is that applications can, if allowed, access otherwise private information from your Facebook profile. That’s just what this app does. Clicking on any of these links takes you to a page where the application requests permission to access your Facebook data, and it really does ask for quite a bit

Permissions request

This appears to be the entire point of this scam – email and account data harvesting. The only other thing the application does is to spread to your friends. First you are asked to ‘Like’ the app, which will cause it to appear in your friends’ news feeds.

"Like" step

Then, just in case items from you don’t appear in your friends’ news feeds, there is one more step: you are asked to explicitly send “invites” to your friends.

Fake "invite" step

Instead of actually sending invites, you’re sending Facebook requests that will appear in the notification queue of each friend you select.

Once you are past this point you wind up on the Google+ home page, and when you try to log in – surprise – you haven’t been invited.

As always, we at Barracuda Networks recommend that you approach any wall post that appears in your news feed with great caution. If they seem to be too good to be true, double-check with the person whose name appears on the post. Additionally, Barracuda Web Filters give IT departments the ability to selectively block Facebook within the organization.

Posted in Internet Security Tips, Social Networking, Web Security | No Comments »

Facebook survey scams reappear as Verify Your Account wall posts

Thursday, May 12th, 2011

by Dave Michmerhuizen – Security Researcher

Facebook survey scammers who had recent success with JavaScript cut and paste pages have changed their approach and turned loose a fast-spreading “Please verify your account” campaign that appears as a wall post from a friend…

Barracuda Labs recently reported on versions of this scam that required you to cut and past a bit of JavaScript into your URL bar. The attack above uses the same JavaScript but embeds it in a link attached to the wall post.

There is another version that we have no sample of which posts an obscene message to your wall which then claims that the only way to remove the obscenity is to press a “Remove this app” button that is part of the post.

As was the case in the cut and past attack, if the link is pressed the JavaScript executes in the context of your Facebook page and has access to all of the APIs and credentials of your Facebook page. The attacking JavaScript takes advantage of that context to post the same scam to the walls of all of your friends.

The end result is the same as our previous report – a sham survey that attempts to sign you up for some unwanted service or get your cell phone number in order to send premium SMS messages to it.

Eliminating the convoluted cut and paste instructions makes this version of the JavaScript attack much simpler and more convincing and it has been spreading across Facebook like wildfire. We can only assume that at some point Facebook will sanitize links in wall posts and not allow use of the “javascript:” scheme. Until then, expect to see waves of these scams using every social engineering attack in the book.

In the meantime, don’t click on links that are part of unusual items posted to your wall – delete them instead. Visit the Facebook account settings pages to take care of account related issues.

As always, Barracuda Networks recommends you exercise special care when visiting links posted in your social network feeds. Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.

Posted in Social Networking, Uncategorized | No Comments »

Facebook infested with cut and paste Javascript survey scams

Tuesday, May 10th, 2011

by Dave Michmerhuizen – Security Researcher

The Social Networking monitors at Barracuda Labs are reporting a virulent outbreak of survey scams on Facebook. These attacks use a variety of social engineering topics and spread via different Facebook APIs, but all use the same initial “cut and paste JavaScript” exploit to spread within the Facebook ecosystem.

Osama Death Video	500 Facebook Credits
Free McDonalds	Official Time Spent App
See you in 20 Years	Dad walks in on daughter
Who hacked your Facebook	Who Visited 1.01

How it works

All of these pages exploit a poorly understood feature of modern web browsers – the ability to execute Javascript entered into the URL bar. You can demonstrate this yourself by entering the following in the URL bar of your browser

javascript:alert("Thanks for reading the Barracuda Labs blog!")

and pressing the Enter key.

JavaScript executed in this manner does so in the context of the currently loaded webpage. If that’s Facebook and you’re logged in, then the JavaScript has access to all the APIs and credentials that the authenticated Facebook page has. You can even demonstrate that by putting this example in the URL bar

javascript:alert(document.cookie)

The resulting message box displays the cookie (if any) that is associated with the currently loaded web page.

These scam pages all try to trick you into copying a bit of JavaScript onto the clipboard and pasting it into the URL box like so

Typical Cut & Paste instructions

It’s no accident that this looks confusing since the scammer doesn’t want you to think too hard about what you’re actually doing. “Just follow the instructions!” is what they say. What this particular snippet does is to tell the currently loaded web page to load and run a much larger JavaScript file from elsewhere on the Internet, in this case, http://hapenceiver.info/lock.js.

The JavaScript file that is loaded in goes right to work spreading the scam to your friends. There are a number of these files in circulation, all of them parameter-driven, so easy to use that would-be scammers don’t even need to know how the script works. Just change the fake message and the scam landing page and they’re good to go, like in this small sample of one script

JavaScript sample

The bulk of the JavaScript spreads the scam virally using various Facebook APIs such as messages, invitations and posts to friends walls.

At one time these sorts of survey scams were spread via Facebook applications that attempted to trick you into “liking” them. A Facebook application requires scammers to apply for an AppID and to have a server. This “Cut and Paste JavaScript” approach only needs a cheap domain or even a Facebook page. Either are easy to set up, and with such a lowered bar to entry the scams are showing up everywhere. Prompting users to cut and paste JavaScript isn’t new but it’s sure meeting with a lot of success.

What happens

Executing the JavaScript file that the code sample is from will post a message to every one of your friends walls, like so

Post on friends wall

If a friend clicks through, they see the attack page, hosted on Facebook

attack page

and if that friend follows the directions, not only do they spam their friends, but they proceed on to a survey page, in this case disguised as a “security check”.

Fake "Security Check"

Following one of these all the way through lands you on the payoff screen.

Cell Phone number reqested

The “security check” says it wants to send the results to your cell phone. Your cell phone number is really being requested in order to sign you up for a premium SMS service, as shown in the small type at the bottom of the page. This is how many Facebook survey scam pages make their money and why they are so prevalent.

Barracuda Networks recommends you exercise special care when visiting links posted in your friends’ news feeds. Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.

Posted in Social Networking | No Comments »

Cyber criminals continue to capitalize on current events – Osama Bin Laden dead!

Monday, May 2nd, 2011

by Nidhi Shah, Security Researcher

Along with media, homeland security and Al-Qaeda supporters, another group of people got to work immediately after Osama Bin Laden was killed: malware authors. This is not surprising given malware writers propensity to take advantage of the day’s current events as a way to reach the largest number of eyeballs and victims.

This news is no different. We noticed multiple campaigns taking advantage of the news within hours of its announcement. One such campaign showed up on Facebook offering a video of the killing:

Wall from account spreading fake videos

Clicking on the link leads the user to a fake blog with video, which in turn requires the user to “Like” it in order to get to the video. However in doing so (“liking”), the user is authorizing the malware to post on his/her wall and fill it up with other “Like” messages that were never authorized. “Like” messages are shared automatically via the Facebook newsfeed on a user’s network; therefore, these messages quickly become viral and spread via trusted channels.

Newsfeed from victim account

There are multiple other campaigns taking advantage of this news and also creating new related headlines to get more attention. Like this campaign (again on facebook):

Wall from another account trying to promote sites with fake headlines

Clicking on that link will lead you to the blog full of such fake headlines.

Blog from fake headline campaign

While this one did not directly lead to any malicious impact, clearly the headlines are fake. That leads us to believe that we might have encountered it while malware authors were still in the process of preparing their next malicious campaign. Or that they could be taking advantage of current events and user curiosity for increasing search engine ranking for these pages.

Our advice to readers is to be cautious while browsing the Web to look for more details related to this event and any other major news in general. We recommend visiting the major news channels directly to get more information rather than click on links in Facebook or Twitter, even if they are seemingly posted by friends or trusted sources.

Posted in Purewire Trust, Research, Security, SEO Poisoning, Social Networking | No Comments »

Why Facebook proxies are a bad idea

Monday, April 25th, 2011

by Dave Michmerhuizen, Security Researcher

Facebook is immensely successful. It is estimated that nearly 40% of the population of the United States has a Facebook account and that more people visit Facebook than visit Google.

However, many organizations consider Facebook to be both a distraction and a security risk. While it has been very common for Web filtering solutions to block all access to Facebook, many organizations are realizing the need to safely allow access, at least to some degree.

As you might expect, enthusiastic Facebook users aren’t very happy with being kept from their favorite website, even during work or school hours. Some of the more popular searches on Google are for “access facebook” and “unblock facebook.” These searches return lists of Facebook proxy sites.

Proxy software serves as an intermediary for internet traffic. To use a proxy to ‘unblock’ Facebook, users direct their web browsers to send requests to the proxy. The proxy performs the request and sends the results back to the web browser. Since the users do not deal directly with Facebook, blocking Facebook has no effect.

The sites that are returned by searching for “unblock Facebook” usually wrap proxy software with a Facebook-specific web user interface, offering themselves as web proxies so that frustrated Facebook users can sneak around the firewall and make that all important status post.

Here’s an example, the home page of accessexists.com

accessexists.com - a Facebook proxy site

The links work fairly well, allowing you to log in to Facebook and use most functions seamlessly.

The problem with using one of these so-called Facebook proxy sites is you don’t know who’s running it, where there are located, or what might be done with your user name and password. Consider what network traffic gets sent in the clear when you use the proxy to log on to Facebook.

Network traffic to accessexists.com

In this case our username and password are part of a POST transaction that is sent. Where is it being sent? WHOIS shows us that accessexists.com is owned by someone named Vladimir in Russia.

accessexists.com whois record

Vlaidmir is saving usernames and passwords, because after a day or so they get around to asking for money.

An unsophisticated user might see this as an immediate solution to an unfair problem, but it carries a great deal of risk. Valid Facebook usernames and passwords are sold to scammers on underground markets for a variety of purposes. One of the most common ones is simply sending spam messages to everyone on your friends list. Another is to use your account to carry out a variant of the Grandmother scam.

Trusting your Facebook username and password to an unknown third party is simply not worth the headaches it can cause.

Barracuda Networks customers using Barracuda Web Filters can restrict access to Facebook within the organization and can also block access to web proxy sites.

Posted in ID Theft, Internet Security Tips, Security, Social Networking, Uncategorized | No Comments »

Archive for the ‘Social Networking’ Category

How it works

What happens

Search

Links

Connect with us!

Recent Posts

Categories

Blog Roll

Archives