Spaming in social networking sites is a serious problem. Criminals, as well as direct marketers, continue to clog mailboxes with unsolicited bulk e-mails such as spam and phishing in the hope of financial gain. So far their strategy is straightforward, namely to send out a vast numbers of unsolicited e-mails in order to maximize profit on the tiny fraction that falls for their scams. Their pool of target e-mail addresses is normally based upon data harvested with web crawlers or trojans, sometimes even including plain dictionary-based guessing of valid targets. Social networking sites (SNSs) might change the playing field of spam attacks in the near future. SNSs contain a pool of sensitive information which can be misused for spam messages, namely contact information (email addresses, instant messaging accounts, etc.) and personal information which can be used to improve the believability of spam messages. A successful extraction of sensitive information from SNSs would result in spam attacks that are based upon a pool of verified e-mail addresses. Thus messages may have higher conversion rates, increasing the success rate of spam.
Gaining access to the pool of personal information stored in SNSs and impersonating a social network user poses a non-trivial challenge. Information extraction from SNSs introduced elaborate methods such as the inference of a user’s social graph from their public listings or cross-platform profile cloning attacks. The leakage of personal information from these platforms creates a remarkable dilemma as this information forms the ideal base for further attacks. The main obstacle for large-scale spam attacks on basis of SNSs are the various access protection measures providers offer to keep sensitive information private or at least limit access to a closed circle of friends. Our friend-in-the-middle attack overcomes this obstacle by hijacking HTTP sessions on the network layer, which the majority of SNSs
providers fail to secure.
FRIEND-IN-THE-MIDDLE (FITM) ATTACKS: friend-in-the-middle attacks as active eavesdropping attacks against social networking sites. Our FITM attack is based on the missing protection of the communication link between users and social networking providers. By hijacking session cookies, it becomes possible to impersonate the victim and interact with the social network without proper authorization. While active eavesdropping attacks against web services are well studied and known for decades, these attacks have a severe impact in combination with social networking services. SNSs session hijacking attacks enable more sophisticated attacks on SNSs, which we outline in the following. Moreover, SNSs providers are responsible for a major share of today’s world-wide-web traffic.
(A)HTTP Session Hijacking Attacks on SNSs. As a precondition the attacker needs to have access to the communication between the SNS and the user. This can be achieved either passively (e.g., by monitoring unencrypted wireless networks) or actively (e.g. by ARP-spoofing on a LAN). The adversary then simply clones the HTTP header containing the authentication cookies and can interact with the social network, unbeknownst to the SNS operator or user.
As a precondition the attacker needs to have access to the communication between the SNS and the user. This can be achieved either passively (e.g., by monitoring unencrypted wireless networks) or actively (e.g. by ARP-spoofing on a LAN). The adversary then simply clones the HTTP header containing the authentication cookies and can interact with the social network, unbeknownst to the SNS operator or user.
One can observe that if HTTPS is used at all, today’s biggest SNSs provider use it solely to protect the credentials during login. As with traditional eavesdropping attacks, the attacker is able to use the web service to its full extent from the victim’s point of view. However in the case of our FITM attacks, further scenarios become available, which are specific to SNSs:
-Friend injection to infiltrate a closed network
-Application injection to extract profile content
- Social engineering to exploit collected information.
The rudimentary security and privacy protection measures of SNSs available to users are based on the notion of “friendship”, which means that sensitive information is made available only to a limited set of accounts (friends) specified by the SNS user. Once an attacker is able to hijack a social networking session, she is able to add herself as a friend on behalf of the victim and thus infiltrate the target’s closed network. The injected friend could then be misused to access profile information or to post messages within the infiltrated network of friends.
By installing a custom third-party application, written and under the control of the attacker, it is possible to access the data in an automated fashion. Among other things, an application has access to sensitive information (birthday, demographic information, pictures, interests, etc.) and in case of most SNSs also to information of friends of the application user. Third-party applications such as online games have become a popular amusement within SNSs, and hiding a malicious application without any activity visible to the user is possible. An attacker might install the application, take all the data needed in an automated fashion and remove the application afterwards. This would be completely undetectable to the user and most likely to the SNSs providers as well. Whereas social engineers traditionally relied upon context-information gathered through dumpster diving or quizzing people over the phone, with FITM attacks the context-information harvesting process becomes automated. We thus claim that FITM attacks allow sophisticated social engineering attacks. Two such social engineering attacks based on information extraction from social networking sites are context-aware spam and social phishing, which we describe in the following.
(B)Context-Aware Spam. Context-aware spam can be generated from data harvested with FITM attacks, increasing the effectiveness of the spam. Three context-aware spam attacks which might be misused: relationship-based attacks, unshared-attribute attacks, as well as shared-attribute attacks. While the first attack is based on relationship information, the two remaining variations use content extracted from social networking sites such as geographic information or a user’s birthday.
(C)Social-Phishing. Phishing is a common threat on the Internet where an attacker tries to lure victims into entering sensitive information like passwords or credit card numbers into a faked website under the control of the attacker. It has been shown that social phishing, which includes some kind of “social” information specific to the victim, can be extremely effective compared to regular phishing. For example such information might be that the message appears to be sent from a person within the social environment of the victim, like a friend or a colleague from work.
With automated data extraction from social networks via FITM attacks, a vast amount of further usable data becomes available to attackers. Prior conversations within the social network like private messages, comments or wall posts could be used to deduce the language normally used for message exchange between the victim and the spam target. For example, a phishing target might find it very suspicious if the victim sends a message in English if they normally communicate in French. Another example are extracted pictures that could be included in the spam and phishing emails to increase their authenticity. Extracted pictures could for example be used to send invitations to shared “photo albums”, including a link which promises more pictures given that a user enters his social networking credentials.
Social Spam Attacks: Spam and phishing messages via FITM attacks can be delivered using one of various approaches.
First, the social network itself might be used for sending the spam, e.g. by writing the message to other users’ walls, or by sending it via private messages. However, if used on a large scale this approach is most likely to get detected by SNSs providers who already implemented a number of anti spam strategies to protect their networks. Out-of-bound messages mean that traditional emails or other forms of sending messages besides the SNS are used to deliver the spam and phishing messages. The traditional email spam is enabled through the availability of real email addresses users make available to their friends. Hence, if the spam attack is carried out over email instead of the SNS platform, these malicious messages cannot be detected by the SNSs providers.