Approach could help software learn how to identify fake accounts with less honorable intentions.
July 11, 2010 by raj
Filed under IT News, Social Media, Social Media Marketing Strategy
By Tom Simonite
It’s not unusual to have user profiles on multiple social networks, or even separate accounts on sites like Twitter–one for work and one for play. But Kyumin Lee at Texas A&M University has 60 Twitter accounts, and not because he’s popular.
Lee’s accounts are “honeypots,” designed to attract the attention of the spammers that increasingly use social networks to spread links to malware and phishing Web sites. Software developed by Lee monitors messages sent to the honeypot accounts to learn the tactics used by spammers.
“The concept of a honeypot is well established at the network level,” says Lee. Usually it takes the form of unprotected computers used to monitor spam e-mail or network-based attacks. “We decided to apply it at a higher level to learn about spam in social networks.” Lee is carrying out the project with A&M colleagues James Caverlee and Brian David Eoff, and with Steve Webb at Georgia Tech University. The work is partially supported by a research award from Google.
The honeypot accounts, like this one, automatically post updates drawn from a collection of 120,000 real tweets harvested from Twitter. The team has also deployed honeypots on MySpace, and created software that uses dummy profiles on both networks to learn about spammer tactics. “We have a bot monitor who contacts our profiles, ” says Lee. “It looks at what they put in their messages and also accesses their profile to see their demographic information and past updates.”
So far, Lee says, “our 61 honeypots tempted and collected 30,867 spammers on Twitter.” The data gathered by those bots can also be used to train “classifier” algorithms to identify spammers that haven’t yet contacted a honeypot. A classifier trained using the Twitter honeypots proved capable of correctly identifying spam profiles more than 80 percent of the time. A public Web service is being built from the trained model that will allow people to look up which accounts it considers spam, and submit corrections for any that are misidentified, says Lee.
Spam and phishing attacks delivered over social networks are a growing problem, says Don DeBolt, director of threat research for IT software firm CA Technologies. For example, a phishing scam operating over Twitter recently stole the iTunes accounts of some users. “People immediately trust these applications because it is how they communicate with friends,” DeBolt explains. “Because people are sending much less text than an e-mail, and URL shorteners are often used, it is harder for people to realize a message may not be real.”
DeBolt’s team maintains honeypot profiles of its own, and monitors them manually to look for new spammer tactics. “We have to take great care, though, in curating them as research profiles that don’t impersonate a real person,” he says.
The fact that social network honeypots must be part of a community is a fundamental difference from the conventional approach, says Azer Bestavros, a networking specialist at Boston University who has, in the past, worked on analyzing blog spam. A honeypot computer on a network is typically allocated to “dark” address space so that they would never legitimately be contacted by another machine.
“Other users could consider our honeypot a real person,” Lee acknowledges. “But we do not have friends or contact other people, and on Twitter our profiles posted random messages so a normal user would not think to contact us.”
Some messages and friend requests sent to a social honeypot may be from legitimate users, so information collected from them needs to be treated carefully, says Bestavros. Lee and colleagues are experimenting with varying the output and demographic characteristics of their honeypots to find out what most attracts spammers–for example, varying the dummy user’s age and location, or the frequency of their updates. “Most of the spammers present themselves as college-age females,” says Lee. Data from MySpace honeypots shows that most claim to be located in California, and so far it seems that college-age males are the preferred target.
Lee and colleagues are also interested in trying the approach on the world’s largest social network: Facebook. “It is a more private network, but if we were able to get permission from them it would be interesting to try it there,” he says.
Popularity: 3% [?]
Share on Facebook Approach could help software learn how to identify fake accounts with less honorable intentions.Spammers Turn to Social Networks
April 12, 2010 by raj
Filed under IT News, Social Media Marketing Strategy
As users have flocked to social networks, so, inevitably, have spammers. And according to a recent experiment, users are much more receptive to spam sent via a social network than over e-mail.
 |
| Fake friends: This screenshot shows real users who befriended a bogus Facebook user created by George Petre and colleagues. Credit: BitDefender |
Fake friends: This screenshot shows real users who befriended a bogus Facebook user created by George Petre and colleagues.
Credit: BitDefender
A group led by George Petre at BitDefender, an antivirus software company based in Bucharest, Romania, performed an experiment to test the effectiveness of spamming techniques geared toward a social networking site. They found it surprisingly easy to entice Facebook users to “friend” people they didn’t know; they also found that many users were willing to click on links without knowing who sent them or where they led.
Speaking last week at the MIT Spam Conference in Cambridge, MA, Petre described how spammers exploit social networks via messaging systems by enticing users to click on links, and by gathering personal information to target mail-outs.
Most social networks have internal messaging systems for communication between members. Petre’s group examined that of Facebook, which boasts 5 percent of the world’s population as its users. While Facebook has an antispam engine, the group found that it was better at filtering out phishing e-mails than preventing spam messages from getting through.
The group started by creating fake profiles to trick users into friending them. They created three profiles, one containing almost no information about the user, one with some information, and one with detailed information. They used those profiles to join popular groups and began sending out friend requests.
Within 24 hours, 85 users had accepted a request from the first profile, 108 from the second, and 111 from the third. Petre says that acceptances began to accelerate, since more than 50 percent of the time, users would accept the request if they shared a “mutual friend” with the fake profile. In some cases, he says, users would send a message asking for more information about how they knew this supposed new friend. The researchers didn’t respond to these requests, but in many cases, Petre says, users accepted the request anyway.
The researchers then posted a link without any explanation to the fake profiles’ walls, using a URL shortener to obscure where the link went. Almost 25 percent of the profiles’ “friends” visited the link, Petre says.
To send messages to large numbers of people, Petre says, spammers often trick users into joining groups and befriending fake profiles. For example, in the aftermath of the Haitian earthquake, fraudsters started a group on Facebook that claimed the social networking company would donate money to relief efforts for each user who joined. The group collected nearly two million members in the five days before Facebook discovered the activity and suspended the group. While active, Petre says, the group was used to send spam messages to the group’s members.
Spammers can also blast messages to users who have accepted friend requests from them. Petre found that scammers use social games to make contacts with legitimate users. In many of these games, such as Farmville, users get ahead by having friends on the network who play the same game. As a result, there are lots of groups on Facebook devoted to helping users connect with others players. This provides a way for spammers to find users to connect with.
Once connected, spammers can also do more than just send spam messages. They can gather data on users, and those users’ contacts, to create more targeted fraudulent messages. Scammers also post links to profiles that aim to entice users to view advertising or visit compromised phishing or malware websites. While spammers could, in theory, use scripts to harvest e-mail addresses from other users’ profiles, Facebook has implemented several protections that make this difficult to do without getting caught and suspended.
“Social networking spam may be more dangerous than regular old spam because it creates a trust factor not available through blindly sending out mass e-mail,” says Garth Bruen, creator of software called Knujon, which classifies and tracks spam. By mining social networks, he says, criminals can get access to personal details such as where a person lives, where they go out to drink, or what movies they like. “It is very good intel for establishing trust with strangers,” he says. Though Bruen notes that working within a social network costs spammers more resources than traditional methods, he believes the payout could be much bigger.
Kathy Liszka, a professor of computer science at the University of Akron and the chair of the MIT Spam Conference, says that fighting spam is no longer just about mathematics and statistics. Spam and malware companies today are actively recruiting people with backgrounds in psychology, she says, and Petre’s work shows that social networks provide fertile ground for spammers to try more sophisticated forms of manipulation. Liszka says, “If we don’t get up on the psychology aspect, we’re going to start losing ground again.”
Source: http://www.technologyreview.com/web/24909/page2/
Popularity: 1% [?]
Share on Facebook Spammers Turn to Social NetworksResearchers are monitoring a trick that makes it harder to track and shut down fraudulent websites.
November 3, 2009 by raj
Filed under The Latest Web News
In the world of online fraud, as in real life, the longer miscreants can operate without being caught, the more money they stand to make. And experts have discovered that many phishers–crooks who use fake websites to trick users into giving up valuable personal information–have found a trick that makes it harder for the good guys to block or shut them down.
 |
| Gone phishing: Researchers from Indiana University–left to right, Andrew Kalafut, Youngsang Shin, and Minaxi Gupta–are studying a trick used to make phishing sites harder to detect and block. Credit: Aaron Bernstein/Indiana University Communications |
The trick, dubbed “flux,” allows a fake site to change its address on the Internet very quickly, making it hard for defenders to block these sites or warn unsuspecting users. According to research recently published in the journal IEEE Security and Privacy, about 10 percent of phishing sites are using flux to hide themselves.
Flux makes use of the Internet’s domain name system, which is responsible for matching a Web address typed into a browser with the server that actually hosts a site. When a user tries to visit a Web page, the domain name system first directs the user to a name server, which maintains an up-to-date list of site addresses. This name server then tells the user’s browser where to find the desired site.
Normally, only a small number of machines host copies of a site–just enough to keep it going if something goes wrong. Fraudulent sites, however, are a different story. Phishing sites are often hosted through botnets–thousands of hijacked machines distributed across the globe.
Popularity: 4% [?]
Share on Facebook Researchers are monitoring a trick that makes it harder to track and shut down fraudulent websites.The team gathered data on compromised pages and the would-be victims.
October 10, 2009 by raj
Filed under The Latest Web News
By infiltrating a criminal computer network aimed at infecting visitors to legitimate websites, university researchers have gained firsthand insight into the scale and scope of so-called “drive-by downloading.” They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.
Credit: Technology Review
Drive-by downloading involves hacking into a legitimate site to covertly install malicious software on visitors’ machines or redirect them to another site.
In an unpublished paper, researchers at the University of California at Santa Barbara describe a four-month study in which they connected their servers to a collection of compromised computers known as the Mebroot botnet. Among their findings, the researchers discovered that, while the seedier sites on the Internet–those hosting porn and illegal downloads–were most effective at redirecting users to a malicious download site, business sites were more common among the compromised referrers.
“Once upon a time, you thought that if you did not browse porn, you would be safe,” says Giovanni Vigna, a UCSB professor of computer science and one of the paper’s authors. “But staying away from the seedy places on the Internet is no longer an assurance of staying safe.”
First discovered by researchers in late 2007, the Mebroot network uses compromised websites to redirect visitors to centralized download servers that attempt to infect the victim’s computer. The malicious software, named for its tactic of infecting a Windows computer’s master boot record (MBR), shows signs of professional programming, including a rapid cycle of debugging, researchers say.
“It is definitely one of the most advanced and professional botnets out there,” says Kimmo Kasslin, director of security response for antivirus firm F-Secure, which is based in Helsinki, Finland.
Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet’s owners with remote control over that machine.
The custom domain generation technique is a relatively sophisticated way to foil attempts to permanently shut down the network, the researchers say. Older drive-by download schemes have redirected victims to a hard-coded Web address. Rather than a static address, the Javascript used by Mebroot generates a new address every day, similar to the domain algorithm used by another computer pest called Conficker. However, because the algorithm relies on known inputs–namely the date–domains can be precomputed, aiding the defenders. The Conficker Working Group, for example, attempted to reserve future domains at least a month in advance.
During the four months the researchers studied Mebroot, the infection network used three different domain-generation algorithms, two of which only used the day’s date as an input. The last variant, however, adds a variable that cannot be easily guessed well in advance: The second characters of the day’s most popular search term on Twitter.
“They (Mebroot’s creators) used a variable that was not in control of the bad guys or the good guys,” says Marco Cova, a UCSB student and a coauthor of the paper.
After they reverse-engineered the domain-generation algorithm, the researchers temporarily hijacked Mebroot by mirroring the steps the compromised websites take to calculate the current day’s domain and registering those domains themselves. But the researchers noticed that when they registered a domain for their sinkhole servers, the Mebroot gang would react by registering future domains faster.
The researchers were also able to profile the typical victim of the network. Almost 64 percent of the visitors redirected to the researchers’ servers were running Windows XP, while 23 percent were using Windows Vista. The next two most popular operating systems were Mac OS X 10.4 “Tiger” and Mac OS X 10.5 “Leopard,” which accounted for 6.4 percent of all visitors.
The researchers never compromised visitors’ systems. But they were able to find evidence that they had been infected by analyzing two kinds of information sent over the network. One suggested that 6.5 percent of visitors were infected with malware. The other indicated that 13.3. percent of systems had been modified by malicious or unwanted files. Moreover, more than half–about 54 percent–were running some sort of antivirus software. About 12 percent of those running the security software were also infected by malware, the researchers found.
The researchers also discovered that nearly 70 percent of those redirected by Mebroot–as classified by Internet address–were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.
The research suggests that users need to update more often, says UCSB’s Vigna.
“Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system,” he says.
Source: http://www.technologyreview.com/computing/23566/page2/
Popularity: 2% [?]
Share on Facebook The team gathered data on compromised pages and the would-be victims.
