How attacks on social networks work

Symantec talks social-networking threats and how a new Norton Labs tool called App Advisor will stop them from attacking you.

Norton Labs' App Advisor scans your social networks for these kind of attacks, and blocks them.

(Credit: Symantec)

SAN FRANCISCO--Symantec detailed some of the dirty secrets of Facebook, Twitter, and Google+ threats at its annual reviewers' workshop here today, and revealed a planned project to protect you from social networking manipulators.

The project from Norton Labs, currently called Norton App Advisor, combines Norton's Safe Web data with social network open API data to provide a safety rating for apps. It aims to prevent malicious apps that prey on your social network activity from collecting data on you and your friends, which Symantec representatives said was a major security concern.

"Social networks have a trust model built in, to trust posts from their friends. This trust model gets exploited by attackers, and it's difficult to distinguish between a post from a friend and a post from an attack," said Nishant Doshi, architect for Symantec's security response group that deals with browsers. He explained that the attacks are successful because they go viral, just like your latest favorite Nyan Cat video. They start small and spread fast.

There are basically three major kinds of attacks that show up on your social networking feeds, he told CNET. One is drive-by downloads, which is basically when somebody downloads ostensibly legit software that has malicious consequences for the host computer, or the malicious software download occurs without the person's knowledge.

Another threat would be a prompt to begin a download that looks like a required plug-in, such as QuickTime or Flash, but is actually malware.

The third kind of threat that Doshi discussed is a survey scam. The scam asks you to fill out a survey that looks like a legitimate personal information survey, but in fact takes your data and uses it in ways that you didn't think you were authorizing. "Once they get a [cell phone] number, they place telemarketing calls to you, sign you up for a [premium SMS] subscription service, or just sell the information [to data collection companies.] They're trying everything," he lamented.

It's essentially premium SMS spam that you've been conned into legally agreeing to.

These surveys use "gray" marketing to appear above-board when collecting personal identity data, then flip it to turn you into money, said Gerry Egan, senior director of product management for Norton. "It's a little bit like spam on steroids. If a scammer can figure out how to seed a scam on a social network, then it goes from a trickle to a flood in a very short amount of time," he said.

The Facebook wall attacks have three ways of propagating, according to Egan. There are manual sharing attacks, where somebody unwittingly shares a malicious link manually. These generally involve "Copy Paste" attacks, which ask you to copy some JavaScript to your location bar. The JavaScript is malicious and gives the bad guys permission to post links to malicious sites to your wall.

Another form of attack is Like-Jacking, Egan said. This is where the Wall-posted link takes you to a site that requires answering a Captcha-style security question, but it's actually a transparent Like button. When you answer the Captcha, you are actually clicking the hidden Like button, and then it reposts to your wall. The Like button also tracks your mouse movement, so it doesn't matter where in the fake Captcha you click.

A third method is Comment-Jacking, which is similar to Like-Jacking. This hides a comment box under a Captcha, which then re-posts the malicious Link to your wall to sucker in your friends. Much of this malicious Wall spam gets you to help distribute the link as it surreptitiously signs you up for something you didn't want. "It's a double-whammy punch," Egan said.

On Twitter, there's Direct Message spam and Twitter-bot replies that send you a malicious link. Doshi explained that the spammers get access to a friend's Twitter login credentials through a credential phishing attack, and then send you a malicious link. "Phishers and scammers could be same," said Egan, "but they could be resold, too. Some apps you've given legitimate access to are malicious apps which then gain rights to your account."

One security problem with Facebook apps that Egan pointed out is that they don't run on Facebook servers, they're hosted wherever the app developers wants. So while you may be looking at a site header from Facebook, which is Facebook's blue bar at the top, the app itself is hosted elsewhere. Facebook can't see the app itself.

There's no release date or price set the Norton App Advisor, yet, and Egan wouldn't confirm even a general availability for Q3 or Q4 2012. He did say, though, that Symantec believes that social-networking security does not lie solely with the social network itself.

"We share threat intel with Facebook, but I don't think either one of us could do it single-handedly."

CNET Top 5
Companies Apple could buy with their billions
Apple's sitting on a massive pile of cash. Here are five interesting ways they could spend it.
Play Video
 

Member Comments