the social media bait - fraud & cybercrime

Social Media Bait: Fraud and C b i

Parag Deodhar, CA, CISA, CFEChief Risk Officer – Bharti AXA General Insurance

Cybercrime

ACFE BANGALORE 13 July 2012

Note: All opinions are personal. All logos, trademarks belong to respective companies.

AGENDAWeighing the value of social

How spam, application

vulnerabilities and value of social networking with its risks

vulnerabilities and malware are being

used to infiltrate social networking social networking

sites

Specific vulnerabilities to

The ease of phishing

d h t User education, policies and

vulnerabilities to watch out for with social networking

and what to do about it p

enforcement

2 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime

V l @ Ri kValue @ RiskInvestigation officers said gshe found out from FB that her boyfriend had dumped h her. Police said the couple had had an argument which had an argument, which resulted in the breakup. Later, her boyfriend had left , ya post on FB saying, "Feeling super cool today. D d Dumped my new ex-girlfriend. Happy independence day "independence day.


Evolution of communication on internetBulletin BoardsWeb based e-mailsInstant Messaging

Social networking is something that is in absolute harmony with the principles Instant Messaging

P2PBl & F

harmony with the principles of internet – Connecting

PeopleBlogs & ForumsSocial NetworkingInstant Status UpdatesStatus Updates with Geo TaggingStatus Updates with Geo Tagging


O l t i tOnly way to communicate


Status update: Social Networks

Whether you or not social networksWhether you or not social networks have taken over our lives – both professional and personal. p

Corporates use it for marketing and communicationSchools and Colleges use it to communicate with students and parentsIndividuals use it for professional networkingIndividuals use it for professional networkingPersonal use – sharing photos and videos, opinions, status updates, games, chat…opinions, status updates, games, chat…

22 Jan 2010, Astronaut T. J. Creamer posted the first unassisted update to his Twitter account from the

International Space Station marking the extension of the Internet into space


Weighing the value of social networking with its risks

BENEFITS RISKSBENEFITS Always connected

Great way to find new

RISKS Spam / Scams

Application flaws Great way to find new

contacts.

Database of

Application flaws

leading to loss of your

information Database of

prospective clients

Accessibility to a wide

information

Inappropriate usage –

posting objectionable Accessibility to a wide

range of information

Service industry – Means

posting objectionable

content

Hate CrimeService industry Means

to connect with

customers

Hate Crime

Identity Theft


Hacking Trends: TargetsEducation

Social Media Entertainment

7%

Finance5%

Education5%

/ Web 2.019%

Government12% Media

16%

Internet

12%

Retail12%Technology

12%

Internet12%

12%

Social media / Web 2 0 sites are the biggest targets for Social media / Web 2.0 sites are the biggest targets for the hackers.

Source: Web Application Security Consortium (WASC)


Trends: Threat Vectors

DNS HijackingWorm

Configuration errorCross-site Scripting

Cross-site Request Forgery

DoS / Brute ForceOther

Configuration error

UnknownContent SpoofingDoS / Brute Force

SQL InjectionInsufficient Authentication

SQL injection is the most common threat vector used against

0% 5% 10% 15% 20%

SQL injection is the most common threat vector used against web pages, content spoofing and XSS are also prominent-Social networks act as a good fodder for all three.

Source: Web Application Security Consortium (WASC)9 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime

Trends

Facebook now allows to add your unborn baby to your list of family members via the “ d Child” i b k fil l “Expected: Child” option on Facebook profiles. Apparently too many parents were creating “illegal” fake profiles for their yet unhatched offspring — setting their fake babies’ ages to 13 instead of negative.10 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime

Trends

Hobby/ showing off Organized crime


UNDERGROUND MARKETPLACE

The cyber underground is a pervasive market The cyber underground is a pervasive market governed by rules and logic that closely mimic those of the legitimate business world. gIt is on these forums that cyber criminals buy and sell login credentials (such as those for e-mail, social networking sites, or financial accounts); where they buy and sell phishing kits malicious software access to botnets; and kits, malicious software, access to botnets; and victim social security numbers, credit cards, and other sensitive information. and other sensitive information. These criminals are increasingly professionalized, organized, and have unique

14

p g qor specialized skills.

ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime

CaaS - CRIMEWARE AS A SERVICE

CaaS is similar to Software as a Service (SaaS) CaaS is similar to Software as a Service (SaaS). Criminals use online cybercrime services instead of running their own servers and instead of running their own servers and software, is the latest development in internet crime. To criminals, as the number of users in social network sites increases, the market value of

l i f ti i i l t k l personal information in social network also increases.


Corporates @ Risk

Data Leakage – Malware Spyware PhishingData Leakage Malware, Spyware, PhishingExternal Attacks – Spam, Virus bringing down network, serversInappropriate usage – objectionable materialSystem overload from the heavy use of blogging and social networking sites, with implications for service availability and non-productive activitiesReputation loss – Employees Customers can Reputation loss – Employees, Customers can easily post complaints over social mediaLegal liabilities from defamatory blog postings by g y g p g yemployees leading to reputational damage


MALWARE

The Koobface worm and its associated botnet - known The Koobface worm and its associated botnet known for its longevity and history of targeting social networking sites. Fi t f i i 2008 ithi M S d F b k First surfacing in 2008 within MySpace and Facebook, the worm resurfaced in early 2009, this time targeting Twitter users.Message directs to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player.update of the Adobe Flash player.A new Koobface attack, links to Google Reader URLs controlled by cyber-criminals are being spammed by Koobface onto social net ork sites incl ding Koobface onto social network sites, including Facebook and MySpace. Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers.


MALWARE EXAMPLE


Zeus P2P Trojan examplej p


Shortened URLs

The very concept of shortened URLs is a The very concept of shortened URLs is a problem as we don’t know the actual link.

Takes you to a page that can use malware to infect o r PC infect your PC. Can be used as a Phishing baitS filt l b Spam filters or malware scanners can be easily bypassed by using the shortened URLs as camouflageas camouflage.


You @ Risk

PrivacyPrivacySteal your money / assets- Malware, Spyware, Phishing, Geo-taggingTrick your friends and family intosupplying personal data, money - Nigerian scamscamIdentity theftUse your accounts to spread spam Use your accounts to spread spam, malware etc.Blackmail – information / photographs,p g pDivorce lawyersTime!!!


PASSWORDS

The problem is not only that people use the The problem is not only that people use the same password for many sites though, the reason that these are able to be decrypted by yp ycybercriminals is often due to the fact that they are weak.


Data Mining

Cyber thieves use data mining on social networking sites Cyber thieves use data mining on social networking sites to extract sensitive information about victims. In a large-scale data mining, a cyber criminal sends out

" tti t k i " t l li t f i l a "getting to know you quiz" to a large list of social networking site users. While the questions do not appear to be malicious on the surface, they often mimic the same questions that are asked by financial institutions or e-mail account providers when an individual has forgotten their password. g pSmall-scale data mining may also be easy for cyber criminals if social networking site users have not properly guarded their profile or access to sensitive information guarded their profile or access to sensitive information. Indeed, some networking applications encourage users to post whether or not they are on vacation,

23

simultaneously letting burglars know when nobody is home.


You @ Risk

What you share directly What you share indirectlyWhat you share directlyYour email address(As your login

credentials)

What you share indirectlyAnswers to your secret questions of

other accounts(emails etc)

Likes/dislikes

Regular updates about your day to

Your where about`s

People related / linked to youRegular updates about your day to day doing

Pictures

eop e e a ed / ed o you(via photo tagging and linked)

Travel likes

Your trips and plans Your picture shows way your possessions

Your relationship status

Personal Details with third party application like Farmville, mafia wars

Home address

Your attitude and way of thinking


You @ Risk

www.theregister.co.uk/2010/09/13/social_network_burglary_gang/ng/


You @ Risk

PHISHINGPHISHINGBanks are not the only companies to fall prey to phishing attacks. Not uncommon to have websites that mimics the websites that mimics the originalCan be a huge threat, as the

b f k number of users keep increasing day by day. Very simple modus operandi-y p pSends you a bogus link, asks you to click on the same, once clicked asks you to enter your clicked asks you to enter your credentials and you are compromised


PHISHING EXAMPLES


“Pinterest” the latest target

Scammers and cyber criminals are now pinning things Scammers and cyber criminals are now pinning things that are leading to spam, phishing sites and other malicious things.A i l t hi h t i ll it t k t l A simple eye-catching photo is all it takes to lure someone in and have an Internet scam succeed in stealing your information or your identity. One advertises an “amazing weight loss product,” where posts include a variety of enticing thumbnail pictures. The captions to these pictures read that the product is The captions to these pictures read that the product is sponsored by Pinterest (it’s not), and that it really works. Another scam involves reaching out to people through a Facebook ad ad ertising a a people can make Facebook ad, advertising a way people can make money on Pinterest. The link goes to a website that offers a Visa gift card, where all the person has to do is fill out a

28

form to get it.


Whaling

While normal “phishing” efforts depend on While normal phishing efforts depend on reaching the greatest number of people with one email, “whaling” targets top level g g pexecutives at organizations with a personalized email.Emails appear to be sent from a legitimate business authority (Banks, Tax Department).Li k b dd d i th il ill lti t l Links embedded in these emails will ultimately install malware on your computer.Bottom line never open an email or forward it Bottom line – never open an email or forward it to a staff member unless you are sure of the identity of the sender.

29

identity of the sender.


d3rd Party Applications

Games quizzes cutesie stuffGames, quizzes, cutesie stuffUntested by social network –anyone can write oneanyone can write oneNo Terms and Conditions – you

ith ll d ’teither allow or you don’tInstallation gives the developers rights to look at your profile and overrides your privacy settings!


Mobile Social Networking: SIDEJACKING

31

CLICKJACKING

Technique used by attackers to trick users into Technique used by attackers to trick users into clicking on links or buttons that are hidden from view. Security weakness in web browsers that allows web pages to be layered and hidden from view. Yo think o are clicking on a standard b tton You think you are clicking on a standard button, like the PLAY button on an enticing video, but you are really clicking on a hidden link. y y gSince you can’t see the clickjacker’s hidden link, you have no idea what you’re really doing. You

ld b d l di l i i could be downloading malware or giving away information without realizing it.One form of clickjacking is to hide a LIKE button One form of clickjacking is to hide a LIKE button underneath a dummy button – “Likejacking”.


Comment-Jacking

This attack baits the user into supposedly This attack baits the user into supposedly typing characters to complete the captchatest. The text is added as a comment

33

instead.ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime

Facebook dislike button scam

The scam appears as a link on your wall saying The scam appears as a link on your wall saying 'Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature.' If you

li k th li k it ill i di t l t it lf t click on the link it will immediately post itself to your profile - thereby spreading it to your friends. In addition it will run Malware In addition it will run Malware on your computer.It essentially means you are giving criminals permission to access your profile, post spam and get you to complete onlineand get you to complete onlinesurveys to give them yet more information about you.


NIGERIAN SCAM

At about 8 p.m. Bryan Rutberg's daughter ran into his At about 8 p.m. Bryan Rutberg s daughter ran into his bedroom and asked why he'd changed his status to: "BRYAN IS IN URGENT NEED OF HELP!!!“He realized his Facebook account had been hacked. He realized his Facebook account had been hacked. Within minutes, his cell phone was ringing non-stop, with concerned friends calling to offer help. Many had received an e mail with the story that RutbergMany had received an e-mail with the story that Rutberghad been robbed at gunpoint while traveling in the United Kingdom, and needed money to get home. One even sent $1 200 to a Western Union branch in London$1,200 to a Western Union branch in London.He was locked out of his own account - criminals had changed his login credentials so he couldn't access his own Facebook page That meant he couldn't remove the dire Facebook page. That meant he couldn t remove the dire status message. He tried to use his wife's account to put a message on his "wall" indicating he was fine but the scammer had "dewall indicating he was fine, but the scammer had de-friended," his wife, so that didn't work.


New Playground for SCAM Artists

Someone set up a FacebookSomeone set up a Facebookaccount under the woman's name, used a real picture of her and added her actual her, and added her actual friends.

Then, the imposter claimed that she took part in a poverty program and by giving $250 she got $40,000 in return.return.Some of the woman’s friends fell for it.They state initial disbelief about the program, but imposter replied “it did really work” and that she had just received the money.Because her friends know her to be a trustworthy person,

36

Because her friends know her to be a trustworthy person, some of the people, as a result, have fallen for this scam.


Some More Scams

Facebook Cashback scamFacebook Cashback scamScammers told users they could link their debit card to their Facebook account and earn 20% cashback whenever they spent any money.They use this as bait to gather debit card information and spread it further to their friendsinformation and spread it further to their friends.

See who has been viewing your profileg y pOffer a link to an app that supposedly lets you see who has been accessing your profile. If you click

it d l t it t it on it and let it access your account it messages your friends with the same scam.It then has access to your account, and the ability

37

y , yto download malicious code onto your computer.


Children @ Risk

Disturbing ContentIf kids explore

File-share AbuseUnauthorized sharing of Cyber bullies

If kids explore unsupervised, they could stumble upon images or information you may g

music, video, and other files may be illegal, and download malicious software.

yBoth children and adults may use the Internet to harass or intimidate other

information you may not want them exposed to.

Predators

children.

Invasion of PrivacyThese people use the Internet to trick children into meeting with them in person.

If kids fill out online forms, they may share information you don’t want strangers to have about them or your family.


HOW TO BESOCIALLY CORRECT

Controls @ Corporates

Deploying technology to block control and Deploying technology to block, control and monitor usageRevising and updating organisational policies to include acceptable use of social networking and blogging sitesManaging the risk of marketing initiati es that are Managing the risk of marketing initiatives that are using blogging and social networking in order to prevent brand damagep gBrand protection services to prevent brand damageEducating end users about blogging and social networking to reduce business impact.


CONTROLS @ CORPORATES…

Risks Controls

Malware Phishing Anti-Virus / Anti-Malware, Phishing, Spyware, Keyloggersetc.

Anti Virus / AntiMalware / Endpoint Protection

Dynamic Content Real time Content Filtering

SSL Threats SSL Decryption

Productivity loss URL / Web filteringProductivity loss URL / Web filtering

Mobile access Enterprise policies,


Controls @ Corporates – Pen test

Fake employee profile created of very attractive 28 year old female p y p y ybased on social reconnaissance of 1402 employees 906 of which used facebook. Target employees were were males between the ages of 20 and 40. Populated the profile with information about experiences at work by using combined stories collected from real experiences at work by using combined stories collected from real employee facebook profiles. Joined target co’s facebook group. Made 100s of friends easily -Began chatting conversations were based on work related issues Began chatting - conversations were based on work related issues collected from legitimate employee profiles. Posted our specially crafted link on facebook profile - "Omigawdhave you seen this I think we got hacked!"y gFake web page was an alert that warned users that their accounts may have been compromised and that they should verify their credentials by entering them into the form provided. People started clicking on the link and verifying their credentials.Credentials used to access the web-vpn which in turn gave us access to the network. Credentials also allowed access to majority of systems on the network including the Active Directory server the of systems on the network including the Active Directory server, the mainframe, pump control systems, the checkpoint firewall console, etc.


Control yourself

KNOW THE RULES - check your organization’s policy on y g p ysocial networkingUSE SECURE PASSWORDS – NOT THE SAME EVERYWHERECHECK THE DEFAULT PRIVACY & SECURITY SETTINGS - don’t CHECK THE DEFAULT PRIVACY & SECURITY SETTINGS don t providing personal information by defaultBE PICTURE PRUDENT - think before posting images that might cause embarrassmentmight cause embarrassmentYOU NEVER KNOW WHO’S WATCHING - assume everyone can read your posts, including hackers!SECURE YOUR COMPUTERS - use up-to-date security SECURE YOUR COMPUTERS - use up-to-date security software and firewallsTHINK BEFORE YOU CLICK - if the email looks dodgy it probably isprobably isSTRANGER DANGER - beware of unsolicited invitations from spammersSUPERVISE Monitor kids accessSUPERVISE – Monitor kids access

Remember the fundamental theory – Nothing comes for free and nobody likes you that much!!!43

Cybercrime, in all its forms, is a lucrative business, which Cybercrime, in all its forms, is a lucrative business, which doesn’t just steal from big companies who ‘can afford

it’, it affects us all. If not in terms of cash, then of inconvenienceinconvenience

THINK BEFORETHINK BEFORE YOU CLICK!!!YOU CLICK!!!

CREDITSVarious websites and online, print media Various security technology product and services companies.gSocial Media websitesUser and addicts of social media


the social media bait - fraud & cybercrime

Documents