Posts tagged social networking

The Notion of a Honeypot Persona

image

I’d like to define the term honeypot persona as a fake online identity established to deceive scammers and other attackers. If this notion interests you, take a look at the article where I proposed using honeypot personas to safeguard user accounts and data. If you haven’t read that note yet, go ahead I’ll wait…

In that article, I wrote that:

"Using decoys to protect online identities might be an overkill for most people at the moment. However, as attack tactics evolve, employing deception in this manner could be beneficial. As technology matures, so will our ability to establish realistic online personas that deceive our adversaries."

Online attackers have many advantages over potential victims, making it hard to defend enterprise IT resources and personal data. In such situations, diversion tactics might help the defenders balance the scales by slowing down and helping to detect attackers.

I’ve outlined my recommendations for the role that honeypots can play as part of a modern IT infrastructure earlier. Now, I’m also suggesting that honeypot personas, which could also be called decoy personas, might be effective at confusing, misdirecting, slowing down and helping detect online adversaries. For example,

"A decoy profile [on a social networking or another site] could purposefully expose some inaccurate information, while the person’s real profile would be more carefully concealed using the site’s privacy settings."

I define the term honeypot as an item that is designed to be desired by an adversary. In this light, a honeypot persona exhibits characteristics that might be attractive to online attackers, deflecting malicious activities and potentially warning the real person who carries the same name as the decoy, that he or she might be targeted soon.

Lenny Zeltser

5 Tech Trends That Explain the Evolution of Online Threats

image

Information security professionals need to keep an eye on the always-evolving cyber threat landscape. Accomplishing this involves understanding how changes in people’s use of technology influence the opportunities and techniques pursued by criminals on-line. Below are 5 tech trends that have affected the evolution of threats.

Mainstream adoption of the Internet into daily activities. The Internet has become so interwoven into our lives that we often don’t notice when activities make use of Internet-connected resources. Technology that allows people and businesses to utilize Internet connectivity has become so convenient, that even non-technical people, old and young, are able to harness the power of the web. As the result:

  • The increase in numbers of non-techies present on and accessible via the Internet made social engineering more fruitful. It’s often easier to target people who aren’t technology specialists.
  • Simplification of user interfaces, necessitated by the need to service non-techies, eliminated some of the details that could assist people in spotting malicious activities or intentions.
  • Commerce and other critical activities moved online, so the criminals followed. To paraphrase the famous saying, criminals are online “because that’s where the money is.”

The increase in usefulness and popularity of mobile devices. Powerful pocket-sized computers with always-on Internet connectivity, also known as phones„ have become so common, that we rarely make a distinction between a regular and a “smart” phone. Overall, mobile devices have become as integral to the modern way of life as glasses, wallets and shoes. As the result:

  • The critical role of mobile devices, which act as a wallets, authentication tools and a communication portals, made them attractive targets. A criminal with access to someone’s mobile device has significant insights into and control over the victim’s life.
  • User interface limitations of small screens conceal visual elements that could aid people in making informed information security decisions. Mobile apps often omit security indicators such as SSL icons that have become staples of the traditional desktop browsing experience.
  • The use of personal devices for work purposes (BYOD) increased the attack surface available to criminals looking to compromise information security safeguards of enterprises. Attackers can use employee-owned mobile devices as portals into the organization’s network, systems and applications.

The popularity and acceptance of online social networking. While initially seen as serving the needs of niche groups, websites such as Twitter, Facebook and LinkedIn, have been joined by numerous others to support new ways in which people socialize online. Social networking sites have become the backbone of modern interactions. As the result:

  • The ease with which people can be reached through online social networks provided criminals with easy access to potential victims. While people might conceal their email addresses, they often allow strangers to contact them through online social networks.
  • The curation culture of online social networks, which encourages people to share links to videos, articles and other items of interest, provided scammers and malware operators convenient ways to distribute malicious links.
  • The wealth of personal data available on people’s social networking profiles provided criminals with the details for executing targeted attacks and social engineering scams.

The connectivity between “physical” and “virtual” worlds. Objects, tools and other constructs (e.g., thermostats, industrial control systems, home automation devices) in the “physical” world are increasingly connected to the web, giving rise to the concept of the “Internet of things.” As the result:

  • The popularity of digital currencies, such as Bitcoin, and game currencies World of Warcraft gold, offered criminals new financial targets and monetization schemes that took them beyond standard currencies such as Dollar, Pound and Euro.
  • The ease of connectivity between VoIP and traditional telephone networks gave rise to new forms of telephone-based scams and denial-of-service attacks (TDoS) that target companies’ phone systems.
  • The addition of online access features to sensors such as video cameras provided attackers with new ways to observe victims remotely, compromising privacy and exposing people and organizations to espionage and other risks.

The acceptance of cloud computing. The use of external, virtualized and/or outsourced IT resources has gained mainstream adoption for not only personal, but also enterprise applications. The cloud is permeating all aspects of modern life. It is becoming increasingly difficult and unnecessary to make a distinction between traditional and cloud-based technologies. As the result:

  • Consolidated data stores outside of the traditional security perimeter of the individual’s PC or the organization’s network established attractive targets. For instance, compromising the email database of a mass-marketing service provider, the attacker can gain access to information useful for further criminal activities.
  • Greater reliance on third-party service providers blurred the line between the roles and responsibilities related to safeguarding data. With each party assuming that the other provides information security oversight and governance, the vulnerabilities available to attackers have increased in number.
  • The proliferation of online cloud-based services has increased the number of passwords that people need to manage, increasing the likelihood that people will select easy-to-remember and, therefore, easy-to-guess logon credentials.

Though I’ve broken out technology trends as distinct observations, they are interrelated within a system that comprises the modern way of life, which incorporates phones, social exchanges, interconnectedness and cloud services into its very fabric. Similarly, the trends in attack strategies, targets and rewards are intertwined to create the reality that infosec professionals need to understand and safeguard.

Lenny Zeltser

What Anomalies Trigger The LinkedIn Sign-In Verification Challenge?

LinkedIn prompts users to take additional steps when it determines that the logon attempt is unusual. What activities does LinkedIn consider suspicious? This isn’t well documented, but here are a few possibilities.

According to LinkedIn, the service presents a security challenge when the user attempts to sign-in “from an unfamiliar location or device” or when the service detects “suspicious web activity.” In this case, the user might be emailed a verification link or presented with a CAPTCHA challenge.

The security challenge could come up when the user accesses LinkedIn from a new country. In this case, the person would see:

“This sign-in attempt seems unusual for you. As a security precaution, please check your email to verify this sign-in attempt.”

The email message will explain, “Someone just tried to sign in to your LinkedIn account from an unfamiliar location, so we want to make sure it’s really you.” The email will specify the IP address and the country where the attempt originated. The recipient will be advised to click a button to verify the sign-in attempt or click another link to change the password.

image

Watch out, scammers might misuse this text for phishing!

LinkedIn also presents the verification prompt after an extended absence according to one report on Twitter. Another sighting on Twitter suggests that LinkedIn might be checking for frequent login/logout actions from a single location, though specifics of this logic are a bit unclear.

image

image

To reduce the likelihood that the sign-in verification prompt will come up, LinkedIn recommends against signing out “each time you use LinkedIn during the day.” Strangely, the service also suggests that “you sign out at the end of each day.” (I doubt that’s very practical advice.)

It’s great to see that LinkedIn has been taking measures to strengthen its authentication practices!

Update: LinkedIn now offers two-factor authentication. For some thoughts on this feature, see my Google Plus post on this topic.

If this topic interests you, you will also like:

Lenny Zeltser

Twitter Social Networking Among Information Security People

Having used Twitter for a couple of years, I can say that its role as social networking medium for members of the information security community has been steadily growing. The value Twitter offers infosec people in three-fold: it helps keep up with interesting security-related content; it offers a forum for interacting with fellow infosec professionals; and it assists in researching current security events and trends.

Finding Relevant and Interesting Content

Twitter users often act as curators of content, helping to identify which news stories, research papers, podcasts, etc. you should be paying attention to on a given day. To benefit from this aspect of the service, it’s best to sign up for Twitter and follow people whose taste in security content matches yours.

Deciding whom to follow on Twitter without being overwhelmed by the number of updates in your stream is a personal matter. A good starting point is to find which of your friends and colleagues are already on Twitter and follow them. Another is the list of "top" security Twitter accounts maintained by the service Listorious. Yet another possibility is the listing of “most powerful voices in security" compiled by Jim Kaskade.

One of the advantages of following on Twitter the people who interest you is that you don’t need to keep up with their updates in real time to benefit from their content-curating activities. Several free services can filter, rank and aggregate the content shared by the Twitter accounts you follow. These include:

You can follow the updates of Twitter users by subscribing to the RSS feed that Twitter generates for them. This works even without you needing to join Twitter; however, this method is only practical when you want to keep up with a small number of Twitter users.

Interacting With Other Information Security Professionals

Technology is making the world smaller, someone said once. Twitter certainly contributes to this dynamic: It’s incredible how many members of the information security community are just a click away on this service.

You might shy away from approaching a particular individual at a conference or worry about emailing the person you don’t know. On Twitter, such social stigmas are almost non-existent. People generally feel contacting each other—making comments, asking questions and providing answers, without much hesitation. This aspect of Twitter makes the site a fantastic source of inspiration and knowledge.

Interestingly, Twitter is even becoming the platform for discussing contents of blogs, with comments being shared as Twitter messages instead of being added to the blog post’s web page directly.

Researching Security Topics

The volume of information posted on Twitter can easily be overwhelming. This aspect of the site makes it a good source of various types of real-time and historical data related to information security.

For instance, you might use Twitter search to check what people are reporting regarding an unfolding security breach or ongoing attack; you might find information about defensive and offensive actors; you might the mention of hashes of malicious executables or suspicious IP addresses, etc. For additional thoughts along these lines, see my earlier posts How to Use Twitter for Information Mining and Monitoring Social Media for Security References to Your Organization.

For more tips on getting the most out of Twitter, see my earlier post Joining The Information Security Community on Twitter. Oh, and you should probably follow me on Twitter: @lennyzeltser.

Lenny Zeltser

People are the new Worm
Ulysses Wang, commenting on the role that humans play in propagating malicious links on social networking sites.

11 Security Tips for Online Social Networking

Having covered the risks related to on-line social networking on several occasions, I’d like to outline my tips for using these services securely. In compiling this list, I tried to stay away from impractical recommendations, and did my best to base advice on actual occurrences, rather than theoretical threats:

  • Ignore any links embedded in email messages that appear to come from a social networking service. Instead, connect to the site directly by typing its URL or using a bookmark. This will help avoid phishing-style incidents.
  • Don’t include in your social networking communications potentially sensitive information about other people. For instance, some parents don’t like revealing the names of their kids online. Understand and respect your friends’ privacy preferences.
  • Be skeptical of job postings on social networking sites until you confirm that you’re interacting with an official representative of the company where you’d be applying. Avoid responding to offers that sound too good to be true, such as high-paying work-from-home gigs.
  • If a friend asks you for money using chat or messaging functionality of a social networking site, confirm that you’re interacting with the person you know, rather than an impostor or a bot that compromised the account. This could be a variation of the stuck-in-London scam.
  • Be careful clicking on links that use unusual URL-shortening services or those that promise to display shocking or embarrassing videos. If such links bring you to a site that doesn’t feel right, close the browser tab without clicking any buttons on the page to avoid clickjacking attacks and other scams.
  • Don’t download any tools or software updates when prompted to do so after clicking a link you obtained from a social networking site. This could be an attempt to propagate malware.
  • Don’t use public social networking sites to discuss sensitive company matters, even if you believe you’re interacting with people working for the same company. You might be communicating with impostors or potentially broadcasting to the whole world.
  • When sending private messages using a social networking site, assume that some day they may become public. The data might be revealed due to your own error or because the service provider may end up leaking the information inadvertently or through dubious practices.
  • Use social networking services in a manner consistent with your employer’s policies. When encountering a suspicious situation on a social networking site that may involve your employer’s data or computer systems, let your IT or security staff know.

While the tips above were focused on social networking services, standard Internet safety recommendations apply: Limit the reuse of passwords across sites; keep up with security practices; disable risky browser plugins that you rarely use (e.g., Java).

Like any of our actions that involve interacting with others, using social networking sites exposes us to risks of being scammed, infected or otherwise attacked. My hope is that the tips above provide practical recommendations that allow people and organizations to derive benefits from these communication mechanisms while keeping the risks at a manageable level.

Lenny Zeltser

Which Apps Are Authorized to Access Your Social Networking Accounts?

Instead of pursuing vulnerabilities present directly in Facebook, Twitter or LinkedIn, attackers might find it easier to identify problems in less mature websites and apps designed to integrate with the targets’ social networking accounts. From the user’s perspective, it’s easy to forget about the myriad of sites that the person may have authorized to have read or write access to his social networking profile.

Follow the steps below to review which apps you’ve authorized to access your Facebook, Twitter and LinkedIn accounts. Check this list periodically and deauthorize the services you no longer use. When in doubt, remove access—when you use the site or app that relied on that access, you should be able to easily reauthorize it.

LinkedIn

Access the Authorized Applications page by hovering over your name in the upper right corner of the LinkedIn site. Select Settings. In the bottom left corner select Groups, Companies & Applications. Select “View your applications”.

Facebook

Access the Application Settings page by clicking on the Account button in the upper right corner on the Facebook site. Select Account Settings. On the left side of the screen select Applications.

Twitter

Access the Connections page by clicking on your name in the upper right corner of the Twitter site. Select Settings, then select the Applications tab.

Lenny Zeltser

The Use of Fake or Fraudulent LinkedIn Profiles

When discussing scams and malicious activities that have utilized the linkedin.com website, I alluded to the use of fake of fraudulent LinkedIn profiles. Though it’s hard to confirm the true nature of suspicious-looking profiles, I came across several that were implicated in conducting illegitimate activities; also, several studies have used fake LinkedIn profiles to conduct security-related research.

Initiating Contact Through LinkedIn in a Targeted Attack

Two years ago the LinkedIn profile that claimed to belong to Murray Rubens was being used to establish contact with employees at a well-known technology company. The person investigating the incident pointed out that the alleged scammer’s profile indicated that he worked at the targeted company since 1997; however, the company had no record of this employee. Here’s an example of a message sent by “Murray Rubens”:

I’d like to add you to my professional network on LinkedIn. I just got involved with Linked in and I wanted connect. I really love my job at Redactedand I want to connect to as many of my collegues as possible. I want to get off to a great start. Please connect if you do not wish to connect its OK. - Murray

Such an approach can be used to target the company’s employees with social engineering, malware or other attacks.

Note the apparent inconsistency between “Murray Rubens” claiming to be at the company since 1997, yet expressing the desire to “get off to a great start.” (Thanks to the investigator for allowing me to publish these details.)

Potential Scams That Involved LinkedIn Profiles

The Ripoff Report website documents numerous reports of confirmed and suspected scams. Some of them refer to them reference LinkedIn profiles that alleged scammers used when interacting with the complaining party.

One complaint describes a scam allegedly conducted by “Ana Velasco." According to the report, "Ana Velasco" followed the transcript of a classic bank guarantee scam over the period of 3 months. The alleged scammer is reported to have baited the victim out of $25,000 “by falsifying federal investment documents, wealthy client lists, worldwide contacts (Deutch Bank) falsifying her background in commodity trading and high yield investments.” The report includes a link to the LinkedIn profile of “Ana Velasco,” which is no longer present on the site.

Another write-up on Ripoff Report discusses an individual, who was reportedly “posing as an investor on LinkedIn." The person who filed the complaint explained that this individual contacted him through LinkedIn regarding investing in the person’s company. The report describes a number of red flags that made the person who filed it concerned, including inconsistencies in domain registration details. However, it stops short of presenting clear evidence that the interactions initiated via LinkedIn were part of a scam.

Fake LinkedIn Profiles Set Up by Researchers

A number of studies explored people’s willingness to interact with strangers on social networking sites, potentially revealing sensitive information or otherwise exposing themselves or their employers to scams. For example, Thomas Ryan of Provide Security set up a profile of a fictitious person named Robin Sage on LinkedIn, Facebook and Twitter. The profile used the photo below and described Robin Sage as “a flirtatious 25-year-old woman working as a ‘cyber threat analyst’ at the U.S. Navy’s Network Warfare Command,” according to the Washington Times article about the experiment.

According to the paper Thomas Ryan wrote about the experiment, he used the Robin Sage profile to establish connections with “executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences.” Thomas concluded that “the propagation of a false identity via social networking websites can be rampant and viral.”

Another experiment using a fake LinkedIn profile was conducted by Dennis Rand from CSIS Security Group. Seeking to research and demonstrate the potential for information leakage through LinkedIn, Dennis created a profile of a fictitious person named John Smith, after which he sent invitations to connect on LinkedIn:

Dennis provided the text of the invitation in the presentation he created to describe the experiment:

"I found you while I was searching my network on LinkedIn and found you.

In the future I might be interested in contacting you regarding a possible job/business connections, so this is my way to keep a list of interesting people/possible future business partners/connections. …

Hope you will take the time to read my profile and accept my invite : )”

Dennis reported that “in less than 2 weeks I had build up a network of 1300+ connections with email addresses, names and a lot of information about the different large companies.”

Wrapping it Up

The nature of on-line social networking involves establishing connections with people without the opportunity to establish the person’s authenticity and reputation. Making the initial connection requires taking a leap of faith, which can easily exploited by scammers. As we saw, security researchers have demonstrated the ease with which anyone can quickly build a respectable-looking profile on LinkedIn. We also saw that miscreants can rely on LinkedIn profiles as part of a cover story when conducting a scam.

This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:

Lenny Zeltser

Scams and Malicious Activities Using the LinkedIn Website

Although malicious activities that involve LinkedIn aren’t as popular as those associated with other social networking sites, the service has seen its share of scams and fraud. The majority such incidents occurred outside of the LinkedIn website, and took the form of LinkedIn look-alike email spam. However, there have been cases where the scammers used the linkedin.com website itself to achieve their goals. Let’s take a look at some of them.

Using linkedin.com as a Redirector to Malicious Sites

It’s simple to use linkedin.com as a redirector to other websites at the moment. The URL needs to look like this to redirect you to Google, for instance:

http://www.linkedin.com/redirect?url=www.google.com

Attackers benefit from “bouncing” users off a website that has a strong reputation, because doing so lends credibility to the link that ultimately will lead to a malicious site. Gerald Dillera at TrendLabs described one such attack that used linkedin.com. The incident involved Facebook wall posts that promised to show “The Video That Just Ended Justin Biebers Career For Good!”

When the potential victim clicked the link, Facebook showed a confirmation that the person is about to leave Facebook.com and be taken to linkedin.com. However, linkedin.com would redirect the person once more to a malicious domain. According to Gerald, “the cybercriminals behind this attack benefit from those who paid to answer the online survey. In addition, this can also pave the way for malware infection and information theft.”

Fraudulent Job Postings on LinkedIn

The LinkedIn Jobs site is designed to pair up job seekers with employers. Perhaps it’s not surprising that this service can act as a venue for distributing fraudulent job postings. The examples I’ve seen involved recruiting money mules, though the creators of these job postings did their best to make them look legitimate.

Consider one such posting, which has been live on LinkedIn for about a month as of this writing and carried the title “*** COME AND WORK WITH US ***”. This work-from-home job promised to pay a weekly salary and a 10% commission for “assisting us in processing the payments from our clients.” The responsibilities were described as follows:

"1. Recieve payment from Customers

2. Cash it at any cashing point or at your banks and you will deduct 10% which will be your percentage/payon Payment processed

3. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to.(Payment is to forwarded either by Money Gram or Western Union Money Transfer.”

The posting claimed to be recruiting for a legitimate UK company. It was posted by “scott miller” with a mostly empty profile, 1 connection and the location of Nigeria.

The text in the above job posting was very similar to the one that Scott Allen from LinkedIn Intelligence described in 2007. It was titled “REQUEST TO ACT AS PAYMENT REPRESENTATIVE” for H & S International Limited:

Criminals recruit money mules in an effort to get money earned through illegitimate means out of the country. In some cases, dedicated sites are set up for the recruiting effort. In others, traditional job sites, including LinkedIn, help with the hiring process.

Scams Sent to the LinkedIn Inbox

Like many other social networking sites, LinkedIn allows the site’s users to contact each other using an email-like messaging service. This functionality can be used to contact LinkedIn users for fraudulent purposes. LinkedIn users tend to be in a sociable frame of mind when visiting linkedin.com and checking the contents of the site’s Inbox; this might make them more vulnerable to scams.

For instance, some LinkedIn users received in their Inbox a message from Natasha Kone, whose text followed the narrative of a classic 419 scam:

"Before the death of my father on the 12th December 2007,in a private hospital here in Abidjan,he called me secretly to his bed side and told me that he kept a sum of $6.500 000… I am inclined to offer you 15% of the total sum as a way of compensation for your effort after the successful transfer of these fund to your nominated account overseas."

In such advanced fee scams, the target is persuaded to “advance sums of money in the hope of realizing a significantly larger gain” according to Wikipedia. Contacting potential victims using LinkedIn offers the scammer the potential to build a believable social networking profile that could put the target at ease.

Consider another scenario, which demonstrates, at best, questionable use of the LinkedIn website. Joseph Dowdy from MeshMarketer described receiving “an invitation through LinkedIn to become listed in Stanford Who’s Who.” Joseph wrote that because “the invitation was coming from LinkedIn, I thought it must be legit without having to do the footwork to see if it was a scam.”

Joseph later became suspicious of the service after noticing that the sample profile shown on Stanford Who’s Who’s website was using a photo of his friend without her approval. He noticed numerous complaints recorded about the company on the Rip-off Report website, alleging that it deceives people into paying large fees.

Wrapping it Up

As you can see, scammers have been using the LinkedIn website in several ways, including treating linkedin.com as a redirector to malicious sites, posting fraudulent ads and interacting with potential victims using the LinkedIn website. It’s interesting to note that while the platform provides numerous other opportunities for fraud, I haven’t seen many publicly-documented incidents of this nature.

This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:

Lenny Zeltser

The Potential for Malicious Ads on linkedin.com

LinkedIn includes a platform that allows advertisers to display targeted ads to linkedin.com users. The advertiser can specify the URL of the advertised website. As the result, this presents an opportunity to direct linkedin.com visitors to malicious websites through LinkedIn ads.

However, I have not found any confirmed incidents where the LinkedIn website was used to host such malvertisements. Why not?

This might be because of a relatively high cost of setting up a LinkedIn campaign. Though the site allows advertisers to budget as little as $10 per day, the minimum cost per click is $2. That’s more than many other advertising venues would charge.

Another reason for scammers not distributing malicious ads through LinkedIn might be the effort it takes to build a reputable LinkedIn profile, which is necessary to submit the ad. Though this cost isn’t very high, it may be more effort than what’s involved in submitting ads to other venues.

Do these reasons make sense to you? Do you have a better explanation for the apparent lack of malvertising on linkedin.com, despite the site’s potential to distribute ads to the desired demographic?

This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:

Lenny Zeltser