The Dark Side: Measuring &Analysing Malicious Activity On Twitter and Facebook

Daniel Peck Senior Research Scientist Barracuda Networks

In 2010: Half of The Spam Disappeared

52 Billion
Billions

26 Billion

55 50 45 40 35
30

25 20

1
2

7 2010

10

11

12

#1 Time Usage On Web: Social Networks

Source: Nielsen

Best Places for Eyeball Collecting

Search Engines
Billions of Searches Monthly

Social Networks
Hundreds of Millions of Users

Twitter = (a little bit of both)

Account Hijackings

Lil Wayne
January 2011

Guns N Roses: Axl Rose

August 2010

Steve Wozniak

Qantas Airlines

Security flaws

Twitter Security Flaws

Hacked Servers: Francois Cousteix, April 2009 Force Follow: accept username May 2010 onMouseOver: XSS retweet. September 2010 CSRF: link that tweets. Septemer 2010

Malware on Twitter

1 in 100
posts on

Twitter
are spam/malicious

Funniest Video Ever Banking Trojan

Israeli/Gaza Strip: Bifrost Trojan

Bifrost Trojan Sets up backdoor Some install rootkit Allows execution of arbitrary code
Source: Naked Security, Sophos

Goo.glShortener+ NeoSploit
December 2010 Goo.gl shortened links are sent Links point to a French Furniture manufacturer Several redirects lead to site infected with NeoSploit exploit kit

Rogue A/V + Trending Topics (step 1 of 3)

Rogue A/V + Trending Topics (Step 2 of 3)

hxxp://securityland.cn/?uid=144&pid=3&ttl=31c48520c54 which acts as a traffic distribution system for a Rogue AV operation; the chain of redirections ends at one of the following Rogue AV distribution points:
hxxp://my-systemscan.com/?p=WKmimHVlbG2HjsbIo22EhHV8ipnVbWiMnNah2qeNm 6nZwombm5h2lpd9fXCHodjSbmRelWZxmV6SZGbLU9bYxKWspXOL1dZ2Y2ZuZ2tnaWyVYYrJl G0%3D hxxp://my-newprotection.net/?p=WKmimHVlbG2HjsbIo22EhHV8ipnVbWiMnNah2qeNm 6nZwombm5h2lpd9fXCHodjSbmRelWZxmV6SZGbLU9bYxKWspXOL1dZ2Y2ZuZ2tnaWyVYYrJl G0%3D hxxp://trustsystem-protection.com/?p=WKmimHVlbG2HjsbIo22EhHV8ipnVbWiMnNah2 qeNm6nZwombm5h2lpd9fXCHodjSbmRelWZxmV6SZGbLU9bYxKWspXOL1dZ2Y2ZuZ2tnaWyV YYrJlG0%3D

Rogue A/V + Trending Topics (step 3 of 3)

Twitter URL Types

illegal ads security 0% 0% 1% propriety 1%
communications 6%

commerce 8% technology 10%

leisure 49% information 25%

Twitter Harmful URL Types

phishing 1% hacking 19% proxies 1%

suspicious 8%

spyware 11%

spam 60%

Drive By Download rate of occurrence: ~1/1000

MALtrace&URLtrace:
Malware Analysis w. Virtualization
Load samples into Maltrace/URLtrace Maltrace allows the malware to run on a virtual PC Uses heavyweight virtualization in a scalable manner 128 VMs simultaneously in flight per 1U processing node Network traffic is captured and creates signatures

URLTrace Examples

Barracuda Labs Technology: Malicious Javascript Detector (MJD)

Place content in a virtual browser environment Perform behavioral analysis of javascript to determine its intentions
Proxy

Twitter Reputation System

Barracuda Labs Technology: Twitter Reputation System

Process Twitter Public Stream Query Twitter User Database for Other Users Analyze Users Activities Analyze Web Links Add Malicious Sites to Barracuda SPYDEF list

True Twitter Users

10

Followers, Friends, & Tweets

Other 57%

True Users 43%

Compared to 21% in Jan 2010

Crime Rate

twitter crime rate is the percentage of accounts created per month that are eventually suspended by Twitter

Twitter Growth Red Carpet Era

Twitter Account Creation 2006-2009 54% of the 50 Most popular Twitter users started using Twitter during the Twitter Red Carpet Era. Twitter growth rate went from 2.02% in Nov 08 to 21.17% in April 09.

Twitter Account Creation Red Carpet Era (11/08-04/09)

Twitter Crime Rate 2006-2009

Twitter Crime Rate 2006-2009 2006 = 1.2% 2007 = 1.7% 2008 = 2.2%

During Red Carpet Era: Twitter Crime Rate increased 66% from 2.02% to 3.36% This more than tripled over the following four months, escalating to 12% in October 2009.

Suspended Accounts: Friend Follower Delta

Suspended Accounts Show Greater Delta in Friend/Follower Delta

Real User 2.91 Eventually Suspended User 4.54

Tweet Number
5-9 1-4 10-99 5.2 10.7 <1 79.2 3.7 0.2 >100

Large Tweet Numbers & High Positive Deltas: Spammers

Account MySportsTracker EarnMoneyToday_ MONEYWHOLESALE The_Sims_3 LA_Restaurants revesbyseller

Tweet Number 148.10 147.77 131.58 160.55 111.15 132.43

Followers-Friends Delta 2521 2520 2483 2371 2360 2339

Large Tweet Numbers & Large Negative Deltas: Scammers

Account
skincarewonder
instantbiztips

Tweet Number
161.94
184.58

Followers-Friends Delta
-467
462

vouchers_code net_shopping111 Cam4Porn tweetstockstips www365buyingcom

336.92 376.62 324.63 207.06 210.38

-472 -490 -1120 -1060 -930

Friend/Follower Ratio: 0.78 Friend/Follower Delta: -244 Tweet Number 76.3

Friend/Follower Ratio: 0.50 Friend/Follower Delta: -325 Tweet Number: 108.9

ProfileProtector.com

Facebook Attacks

1 in 60
posts on

Facebook
are spam/malicious

Facebook Social Attacks

Photo Tags Up To 50 People

Website Selling Fake Illegal Shoes

Likejacking

Malicious Facebook Apps

Hidden Truth Photos

Automated Social Engineering

Search Malware

Billions of Searches A Day

88,000,000,000 Per Month On Google Sites 40,000,000,000 Per Month On Twitter 9,400,000,000 Per Month On Yahoo Sites 4,100,000,000 Per Month On Microsoft Sites

Top 10 search terms of 2010 (people are lazy)

Source: comscore

Barracuda Labs Technology: Search Engine Malware Crawler

Get Popular Search Terms Hourly Search for Those Terms Retrieve the Set of Search Results Retrieve the Web Sites for the results Analyze the Sites for Malicious Code Add Malicious Sites to Barracuda SPYDEF list

Data Set
4
153 157,154
36,972,206

Search Engines (Bing, Google, Twitter, Yahoo) Days Popular Topics Search Results

Frequency of Search Engine Malware

34,627 malware samples found 1 in 1000 search results lead to malware 1 in 5 search topics lead to malware

Total Malware by Search Engine

Twitter 8% Bing 24% Google 38%

Yahoo 30%

Number Two Search Term Leading to Malware: Jenni J-Woww

Top Search Terms That Led To Malware

world+series 8%
costco 8%

rex+ryan 8%

abby+road 7%

music+video 17%

jenni+jwoww 15%

barrack+obama 8% credit+score 9% mortgage 10%

nfl 10%

Lebron James

Lebron James (1 of 4)

72

Lebron James (2 of 4)

73

Lebron James (3 of 4)

Lebron James (4 of 4)

Survey Results:
Social Networking Security and Privacy

Summary
Attackers are focusing more on social networks and search engines to reach users. Viral features provide efficient tools for attackers Behavior-based features show promise of building a foundation for User Reputation. ProfileProtector.com @BarracudaLabs