Social Zombies II: Your Friends Need More Brains
In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at DEFCON 17. This presentation will further examine the risks of social networks and then present new techniques and tools that can be used to exploit these issues. This presentation begins by discussing new twists on existing privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses social network botnets and bot programs. Both the delivery of malware through social networks and the use of these social networks as command and control channels will be examined. Tom, Kevin and Robin next explore the use of browser-based bots and their delivery through custom social network applications and show new ways social network applications can be used for malware delivery. Finally, the information available through the social network APIs is explored using third-party applications designed for penetration testing. This allows for complete coverage of the targets and their information. This was presented at Shmoocon 2010 on February 6, 2010.
Social Zombies II: Your Friends Need More Brains
- 1. SOCIAL ZOMBIES II Your Friends Need More Brains
- 2. Starring...
- 3. tom Eston
- 4. Robin Wood
- 6. Social Networks Where are we today?
- 8. 350 Million Users (how many of these are fake?)
- 9. 120 Million Login Daily
- 11. 6.2 million joining Twitter every month
- 12. End of 2009: 75 Million Users
- 13. It’s all about trust...
- 25. Who is the most dangerous woman on the Internet?
- 31. What makes a Jessica Biel?
- 35. Thank You! Prabhu Deva and Nathan Hamiel
- 36. Lava Roll FTW
- 37. Still easy to exploit trust! • More difficult to tell a bot from a real account • Accounts are easy to create • Socnet User Verification = FAIL • Twitter “Verified” Accounts? • Connections based on other “friends”
- 39. New Facebook Privacy Settings • Your info is even more open! • Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are all public • “Suggested” settings are set to EVERYONE • Zuckerburg says users don’t want privacy...
- 40. Really?
- 41. Epic FAIL?
- 42. Blippy FTW
- 43. Blippy FTW
- 44. "I Joined BLIPPY and all I got was Jacked at the ATM" - Chris Nickerson (@indi303) via Twitter
- 45. What about the ultimate stalker tool?
- 50. Blippy + Foursquare + Facebook + Twitter + LinkedIn = PWNAGE
- 51. Why the **** would Socnets do this??
- 53. “The more info you share... ...the more valuable you are”
- 54. Real Time Search FTW
- 55. How do pen testers and attackers use this? Thank you Social Networks!
- 56. Wealth of recon information! • Socnet Search Engines • Maltego (Twitter and Facebook) • Google Hacks • site:facebook.com inurl:group (bofa | "bank of america") • Manual Searching • Status Updates • Real Time Search
- 57. Infiltrate a company with this information!
- 59. Koobface Evolving • Still the #1 socnet worm • Targets all major socnets • Socnet chat vectors • Now with CAPTCHA • Adobe/IE 0day, Zeus Trojans FTL *Screen shots via McAfee Labs/PandaLabs
- 61. Months of Bugs! • July 2009 - Month of Twitter Bugs (Aviv Raff) • September 2009 - Month of Facebook Bugs (theharmonyguy) • Vulnerabilities affecting over 9,700 Facebook applications • Over half of vuln apps had passed the Facebook “Verified” Application program • Six of the hacked applications in the “Top 10” (Farmville and Causes!) • Most could be used with ClickJacking to install
- 65. More than 218 million Facebook users were vulnerable!
- 66. Facebook Application Autopwn Demo http://www.youtube.com/watch?v=chvwtGPkAIQ
- 68. More Evil Twitter Bots • Bots that pull trending topics...post malware links • Used recently to promote warez like pirated movies • Easy to code. Twitter API FTW
- 69. Better Automated Tools • Tools are getting more reliable • CAPTCHA bypass built in, able to off load to outsourced solution • Automated tools are cheap! Why roll your own? (or get it for free via Torrent!)
- 72. What is it? Command and control system running over social media
- 73. Written in Ruby as a proof of concept Not optimized. Not stealthy.
- 74. Currently runs over: •Twitter • JPEG • TinyURL
- 75. And now...
- 76. Uses LinkedIn API to read and write the Status field
- 79. Also new... Windows Support Basic Ruby install with a few gems and off it goes
- 80. What’s Next? Other media types, possibly non- HTML based. Please give suggestions!
- 82. Third Party APIs FTW
- 83. SocNet APIs • Social network APIs provide a wealth of information • All the big ones offer them • Some play catch up • We get to play with these APIs
- 84. Im'ma Let You Finish • New front end for Social Butterfly • KanyeWestify allows us to update your wall
- 85. Westify'ing someone • Select a friend • Drop down helps • Their wall now has the update
- 86. So what did we do? • Using the API, we grabbed the user's information • And their Friends' data • In this version we used the FQL queries from theHarmonyGuy • Full backup of your account • We also used JS to brute force browser history • We can map visited pages to user's of Facebook! • Marketing FTW!
- 87. Have the undead won?
- 88. We need more brains! • User education...yeah, it’s hard • Better privacy controls • End opt-in developer models • Tighter control of APIs
- 89. Questions? • News, Research, Guides,Video’s SocialMediaSecurity.com • Download KreiosC2 digininja.org • Follow us...if you dare @agent0x0, @digininja, @secureideas