3,582 research outputs found
Towards Detecting Compromised Accounts on Social Networks
Compromising social network accounts has become a profitable course of action
for cybercriminals. By hijacking control of a popular media or business
account, attackers can distribute their malicious messages or disseminate fake
information to a large user base. The impacts of these incidents range from a
tarnished reputation to multi-billion dollar monetary losses on financial
markets. In our previous work, we demonstrated how we can detect large-scale
compromises (i.e., so-called campaigns) of regular online social network users.
In this work, we show how we can use similar techniques to identify compromises
of individual high-profile accounts. High-profile accounts frequently have one
characteristic that makes this detection reliable -- they show consistent
behavior over time. We show that our system, were it deployed, would have been
able to detect and prevent three real-world attacks against popular companies
and news agencies. Furthermore, our system, in contrast to popular media, would
not have fallen for a staged compromise instigated by a US restaurant chain for
publicity reasons
Facebook Applications' Installation and Removal: A Temporal Analysis
Facebook applications are one of the reasons for Facebook attractiveness.
Unfortunately, numerous users are not aware of the fact that many malicious
Facebook applications exist. To educate users, to raise users' awareness and to
improve Facebook users' security and privacy, we developed a Firefox add-on
that alerts users to the number of installed applications on their Facebook
profiles. In this study, we present the temporal analysis of the Facebook
applications' installation and removal dataset collected by our add-on. This
dataset consists of information from 2,945 users, collected during a period of
over a year. We used linear regression to analyze our dataset and discovered
the linear connection between the average percentage change of newly installed
Facebook applications and the number of days passed since the user initially
installed our add-on. Additionally, we found out that users who used our
Firefox add-on become more aware of their security and privacy installing on
average fewer new applications. Finally, we discovered that on average 86.4% of
Facebook users install an additional application every 4.2 days
Under the Shadow of Sunshine: Characterizing Spam Campaigns Abusing Phone Numbers Across Online Social Networks
Cybercriminals abuse Online Social Networks (OSNs) to lure victims into a
variety of spam. Among different spam types, a less explored area is OSN abuse
that leverages the telephony channel to defraud users. Phone numbers are
advertized via OSNs, and users are tricked into calling these numbers. To
expand the reach of such scam / spam campaigns, phone numbers are advertised
across multiple platforms like Facebook, Twitter, GooglePlus, Flickr, and
YouTube. In this paper, we present the first data-driven characterization of
cross-platform campaigns that use multiple OSN platforms to reach their victims
and use phone numbers for monetization.
We collect 23M posts containing 1.8M unique phone numbers from Twitter,
Facebook, GooglePlus, Youtube, and Flickr over a period of six months.
Clustering these posts helps us identify 202 campaigns operating across the
globe with Indonesia, United States, India, and United Arab Emirates being the
most prominent originators. We find that even though Indonesian campaigns
generate highest volume (3.2M posts), only 1.6% of the accounts propagating
Indonesian campaigns have been suspended so far. By examining campaigns running
across multiple OSNs, we discover that Twitter detects and suspends 93% more
accounts than Facebook. Therefore, sharing intelligence about abuse-related
user accounts across OSNs can aid in spam detection. According to our dataset,
around 35K victims and 8.8M USD could have been saved if intelligence was
shared across the OSNs. By analyzing phone number based spam campaigns running
on OSNs, we highlight the unexplored variety of phone-based attacks surfacing
on OSNs.Comment: To appear in WebScience 201
Friend or Foe? Fake Profile Identification in Online Social Networks
The amount of personal information unwillingly exposed by users on online
social networks is staggering, as shown in recent research. Moreover, recent
reports indicate that these networks are infested with tens of millions of fake
users profiles, which may jeopardize the users' security and privacy. To
identify fake users in such networks and to improve users' security and
privacy, we developed the Social Privacy Protector software for Facebook. This
software contains three protection layers, which improve user privacy by
implementing different methods. The software first identifies a user's friends
who might pose a threat and then restricts this "friend's" exposure to the
user's personal information. The second layer is an expansion of Facebook's
basic privacy settings based on different types of social network usage
profiles. The third layer alerts users about the number of installed
applications on their Facebook profile, which have access to their private
information. An initial version of the Social Privacy Protection software
received high media coverage, and more than 3,000 users from more than twenty
countries have installed the software, out of which 527 used the software to
restrict more than nine thousand friends. In addition, we estimate that more
than a hundred users accepted the software's recommendations and removed at
least 1,792 Facebook applications from their profiles. By analyzing the unique
dataset obtained by the software in combination with machine learning
techniques, we developed classifiers, which are able to predict which Facebook
profiles have high probabilities of being fake and therefore, threaten the
user's well-being. Moreover, in this study, we present statistics on users'
privacy settings and statistics of the number of applications installed on
Facebook profiles...Comment: Draft Versio
On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect
OAuth is the new de facto standard for delegating authorization in the web.
An important limitation of OAuth is the fact that it was designed for
authorization and not for authentication. The usage of OAuth for authentication
thus leads to serious vulnerabilities as shown by Zhou et. al. in [44] and Chen
et. al. in [9]. OpenID Connect was created on top of OAuth to fill this gap by
providing federated identity management and user authentication. OpenID Connect
was standardized in February 2014, but leading companies like Google,
Microsoft, AOL and PayPal are already using it in their web applications [1],
[2], [3], [30].
In this paper we describe the OpenID Connect protocol and provide the first
in-depth analysis of one of the key features of OpenID Connect: the Discovery
and the Dynamic Registration extensions.We present a new class of attacks on
OpenID Connect that belong to the category of second-order vulnerabilities.
These attacks consist of two phases: First, the injection payload is stored by
the legitimate application. Later on, this payload is used in a
security-critical operation. Our new class of attacks - called Malicious
Endpoints attacks - exploits the OpenID Connect extensions Discovery and
Dynamic Registration. These attacks break user authentication, compromise user
privacy, and enable Server Side Request Forgery (SSRF), client-side code
injection, and Denial-of-Service (DoS). As a result, the security of the OpenID
Connect protocol cannot be guaranteed when these extensions are enabled in
their present form.
We contacted the authors of the OpenID Connect and OAuth specifications. They
acknowledged our Malicious Endpoint attacks and recognized the need to improve
the specification [29]. We are currently involved in the discussion regarding
the mitigation of the existing issues and an extension to the OAuth
specification
Hawkes Process for Understanding the Influence of Pathogenic Social Media Accounts
Over the past years, political events and public opinion on the Web have been
allegedly manipulated by accounts dedicated to spreading disinformation and
performing malicious activities on social media. These accounts hereafter
referred to as "Pathogenic Social Media (PSM)" accounts, are often controlled
by terrorist supporters, water armies or fake news writers and hence can pose
threats to social media and general public. Understanding and analyzing PSMs
could help social media firms devise sophisticated and automated techniques
that could be deployed to stop them from reaching their audience and
consequently reduce their threat. In this paper, we leverage the well-known
statistical technique "Hawkes Process" to quantify the influence of PSM
accounts on the dissemination of malicious information on social media
platforms. Our findings on a real-world ISIS-related dataset from Twitter
indicate that PSMs are significantly different from regular users in making a
message viral. Specifically, we observed that PSMs do not usually post URLs
from mainstream news sources. Instead, their tweets usually receive large
impact on audience, if contained URLs from Facebook and alternative news
outlets. In contrary, tweets posted by regular users receive nearly equal
impression regardless of the posted URLs and their sources. Our findings can
further shed light on understanding and detecting PSM accounts.Comment: IEEE Conference on Data Intelligence and Security (ICDIS) 201
Unauthorized Cross-App Resource Access on MAC OS X and iOS
On modern operating systems, applications under the same user are separated
from each other, for the purpose of protecting them against malware and
compromised programs. Given the complexity of today's OSes, less clear is
whether such isolation is effective against different kind of cross-app
resource access attacks (called XARA in our research). To better understand the
problem, on the less-studied Apple platforms, we conducted a systematic
security analysis on MAC OS~X and iOS. Our research leads to the discovery of a
series of high-impact security weaknesses, which enable a sandboxed malicious
app, approved by the Apple Stores, to gain unauthorized access to other apps'
sensitive data. More specifically, we found that the inter-app interaction
services, including the keychain, WebSocket and NSConnection on OS~X and URL
Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such
confidential information as the passwords for iCloud, email and bank, and the
secret token of Evernote. Further, the design of the app sandbox on OS~X was
found to be vulnerable, exposing an app's private directory to the sandboxed
malware that hijacks its Apple Bundle ID. As a result, sensitive user data,
like the notes and user contacts under Evernote and photos under WeChat, have
all been disclosed. Fundamentally, these problems are caused by the lack of
app-to-app and app-to-OS authentications. To better understand their impacts,
we developed a scanner that automatically analyzes the binaries of MAC OS and
iOS apps to determine whether proper protection is missing in their code.
Running it on hundreds of binaries, we confirmed the pervasiveness of the
weaknesses among high-impact Apple apps. Since the issues may not be easily
fixed, we built a simple program that detects exploit attempts on OS~X, helping
protect vulnerable apps before the problems can be fully addressed
More or Less? Predict the Social Influence of Malicious URLs on Social Media
Users of Online Social Networks (OSNs) interact with each other more than
ever. In the context of a public discussion group, people receive, read, and
write comments in response to articles and postings. In the absence of access
control mechanisms, OSNs are a great environment for attackers to influence
others, from spreading phishing URLs, to posting fake news. Moreover, OSN user
behavior can be predicted by social science concepts which include conformity
and the bandwagon effect. In this paper, we show how social recommendation
systems affect the occurrence of malicious URLs on Facebook. We exploit
temporal features to build a prediction framework, having greater than 75%
accuracy, to predict whether the following group users' behavior will increase
or not. Included in this work, we demarcate classes of URLs, including those
malicious URLs classified as creating critical damage, as well as those of a
lesser nature which only inflict light damage such as aggressive commercial
advertisements and spam content. It is our hope that the data and analyses in
this paper provide a better understanding of OSN user reactions to different
categories of malicious URLs, thereby providing a way to mitigate the influence
of these malicious URL attacks.Comment: 10 pages, 6 figure
PhishAri: Automatic Realtime Phishing Detection on Twitter
With the advent of online social media, phishers have started using social
networks like Twitter, Facebook, and Foursquare to spread phishing scams.
Twitter is an immensely popular micro-blogging network where people post short
messages of 140 characters called tweets. It has over 100 million active users
who post about 200 million tweets everyday. Phishers have started using Twitter
as a medium to spread phishing because of this vast information dissemination.
Further, it is difficult to detect phishing on Twitter unlike emails because of
the quick spread of phishing links in the network, short size of the content,
and use of URL obfuscation to shorten the URL. Our technique, PhishAri, detects
phishing on Twitter in realtime. We use Twitter specific features along with
URL features to detect whether a tweet posted with a URL is phishing or not.
Some of the Twitter specific features we use are tweet content and its
characteristics like length, hashtags, and mentions. Other Twitter features
used are the characteristics of the Twitter user posting the tweet such as age
of the account, number of tweets, and the follower-followee ratio. These
Twitter specific features coupled with URL based features prove to be a strong
mechanism to detect phishing tweets. We use machine learning classification
techniques and detect phishing tweets with an accuracy of 92.52%. We have
deployed our system for end-users by providing an easy to use Chrome browser
extension which works in realtime and classifies a tweet as phishing or safe.
We show that we are able to detect phishing tweets at zero hour with high
accuracy which is much faster than public blacklists and as well as Twitter's
own defense mechanism to detect malicious content. To the best of our
knowledge, this is the first realtime, comprehensive and usable system to
detect phishing on Twitter.Comment: Best Paper Award at APWG eCRS 2012, #phishing #Twitter
#realtime-detection #usable #end-user-too
Analyzing Social and Stylometric Features to Identify Spear phishing Emails
Spear phishing is a complex targeted attack in which, an attacker harvests
information about the victim prior to the attack. This information is then used
to create sophisticated, genuine-looking attack vectors, drawing the victim to
compromise confidential information. What makes spear phishing different, and
more powerful than normal phishing, is this contextual information about the
victim. Online social media services can be one such source for gathering vital
information about an individual. In this paper, we characterize and examine a
true positive dataset of spear phishing, spam, and normal phishing emails from
Symantec's enterprise email scanning service. We then present a model to detect
spear phishing emails sent to employees of 14 international organizations, by
using social features extracted from LinkedIn. Our dataset consists of 4,742
targeted attack emails sent to 2,434 victims, and 9,353 non targeted attack
emails sent to 5,912 non victims; and publicly available information from their
LinkedIn profiles. We applied various machine learning algorithms to this
labeled data, and achieved an overall maximum accuracy of 97.76% in identifying
spear phishing emails. We used a combination of social features from LinkedIn
profiles, and stylometric features extracted from email subjects, bodies, and
attachments. However, we achieved a slightly better accuracy of 98.28% without
the social features. Our analysis revealed that social features extracted from
LinkedIn do not help in identifying spear phishing emails. To the best of our
knowledge, this is one of the first attempts to make use of a combination of
stylometric features extracted from emails, and social features extracted from
an online social network to detect targeted spear phishing emails.Comment: Detection of spear phishing using social media feature
- …