Home >Documents >SOCIAL NETWORKS - Social Networks Facebook Career based Social Networks LinkedIn is an employment...

SOCIAL NETWORKS - Social Networks Facebook Career based Social Networks LinkedIn is an employment...

Date post:11-Aug-2020
View:0 times
Download:0 times
Share this document with a friend

    Maria Agroti EPL682


  • 1: All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks

    by: Leyla Bilge, Thorsten Strufe, Davide Balzarotti, Engin Kirda


  • ◦ How easy it is for an attacker to gain access to a large volume of personal user


    ◦ Automated Crawling identity theft: done by clowning a victims account and sending friend requests to their contacts.

    ◦ The stalkers hope to exploit the trust and the friendship between the victim and the contacts to achieve a theft and access sensitive information.

    ◦ Cross-Site Profile cloning attack: done by creating a forged profile in a network where the victim does not have an account and tries to reach the victims contacts that are already registered on both networks.


  • Social Networks ◦ Facebook

    Career based Social Networks

    ◦ LinkedIn is an employment oriented network site developed in 2003

    ◦ XING is a career based social networking site developed in 2003 mostly for the

    German Market.

    ◦ https://www.xing.com/

    ◦ MeinVZ from https://www.meinvz.net/Default (platform for non students based in

    Germany in 2008)

    ◦ StudiVZ from http://www.studivz.net/Default (platform for German students in



    https://www.xing.com/ https://www.meinvz.net/Default http://www.studivz.net/Default

  • 5

  • Worms

    ◦ On MySpace and Facebook

    ◦ A famous worm is the LoveLetter

    ◦ It used contacts from Outlook to send to the victims contacts a copy of themselves and spread more and more in that way to other users.

    ◦ When the worm is executed, it copies itself as the files LOVE-LETTER-FOR-YOU.TXT.VBS and

    MSKERNEL32.VBS in the Windows_system_folder and WIN32DLL.VBS in the Windows directory.

    ◦ It creates its own key named MSKernel32 under the Local machine registry key that causes programs to run and adds the value MSKERNEL32.VBS to it.

    ◦ This is easier due to the fact that networking sites did not have filtering mechanisms for malicious



  • ◦ Networking sites are attracted by attackers due to having sensitive information on users.

    ◦ This information can be e-mail, education, hobbies, relationship status and background.

    ◦ This gets very easy for attackers to engineer attacks specified on each user.

    ◦ By creating a fake profile of a well known person, showed that even the close relatives of the

    forged profile can not tell the difference between a fake and a real profile on a social network


    ◦ By cloning an already registered profile is proved easier than it seems since contacts of the

    profile tend to accept requests if the profile is already part of the friends’ contact list.


  • iCLONER ◦ There are various components that crawl through social network sites and collect information and then use them

    to create cloned profiles automatically.

    ◦ Afterwards, send friend requests to other contacts.

    ◦ 1) Crawler: crawls and collects information about a user

    ◦ Essential is being a friend on the social network in order to have access

    ◦ Keeps track of profiles that could not be accessed due to restrictions

    ◦ 2) Identity Matcher: analyses the information from the database to identify profiles from the same person.

    ◦ Profile creator: creates accounts that do not exist yet or duplicate an existing account

    ◦ Message sender: sends friend requests to known contacts of the person forged

    ◦ 3) CAPTCHA

    ◦ The crawler is tested into StudiVZ, MeinVZ,

    Facebook and XING.


  • CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart

    ◦ The iCloner uses an analyser to break the Captcha that tries to prevent automated access

    ◦ It generates tests that are hard to solved by a computer application.

    ◦ Either recognize a text or listen to a recording


  • Breaking CAPTCHAS

    ◦ 1) ImageMagick for image recognition

    ◦ 2) Tesseract for text recognition to manipulate pixels

    ◦ MeinVZ and StudiVZ use CAPTCHAS

    ◦ By analysing the social networks, we establish that captchas are 5-letter words where the font, the

    background, foreground colours change and may be blurred.

    ◦ Perl where grid noise is removed and replaced with white pixels, then isolate the letters

    ◦ if letters overlap then ask for a new word because letters can not be isolated

    ◦ Then match its letter from the known fonts

    ◦ Match a letter by the number of pixels

    ◦ It is possible to request another Captcha again and again but only 3 errors are allowed.

    ◦ The Perl method was able to recognize the 29% of CAPTCHAS


  • Breaking reCAPTCHAS

    ◦ Used by Facebook

    ◦ It digitizes words so that they cannot be

    recognized by an OCR

    program(Optical Character


    ◦ They are more difficult to be

    recognised by an automated program.

    ◦ Two words are displayed at the same

    time (number)


  • Cloning Attacks-Profile cloning

    ◦ Since attackers clone profiles and send request to known contacts, victims tend to accept

    request easily.

    ◦ The communication level differs between contacts therefore suspicion varies.

    ◦ Typically, users tend to accept request if there is a relationship between them

    ◦ The attacker may send a message of “ Dear friends, my computer broke down, please add


    ◦ Some contacts may realize the profile is fake and remove the friend, but still if the request was

    accepted then the attacker has successfully managed to access and copy the information from

    that profile.

    ◦ The attacker uses a real profile picture and name since the names are not unique in the network.


  • Cloning Attacks-Cross-site profile cloning

    ◦ Victims are registered in one network but are forged in another.

    ◦ By cloning a new account not registered to a network, the victim will most likely not

    detect it

    ◦ The attacker collects information of the victim from another network

    ◦ The social networks must be of the same nature i.e LinkedIn and XING

    ◦ iCloner is able to forge accounts between XING and LinkedIn

    ◦ After cloning one victim then the attacker checks if the friend contacts can be forged.

    ◦ The attacker will search by name in the network and then look in more detail to make

    sure the associated user is indeed registered or not.


  • 14

    Cloning Attacks-Cross-site profile cloning

    ◦ If more than one profiles are found then a comparison using a scoring system is done to

    find the correct profile

    ◦ i.e awarding 2 points for the right education as its highly likely users with the same name will have similar information

    ◦ 2 points for the company of the employer

    ◦ And 1 point for the city

    ◦ →if the sum is >3 then we conclude that the two profiles belong to the same person

    ◦ Google search the top 3 hits

    ◦ Once the contacts of one victim are identified then the process is done again by sending

    friend request to these users but this time the person sending the request is not yet a

    friend in that particular social network.

    ◦ Therefore not much suspicion is raised

  • Evaluating

    ◦ Then we evaluate the attacks in terms of feasibility with real


    ◦ By experimenting with a large volume of real users by

    contacting 700 users

    ◦ Testing the iCloner in StudiVZ and MeinVZ

    ◦ Create 16 accounts that keep a low profile

    ◦ Therefore make delayed request

    ◦ Expectations were that 100,000 pages will be reached (request) daily

    ◦ 15000 users will be contacted and their information will be


    ◦ Crawlers were able to collect information from 40,000

    profiles daily


    ◦ Testing in XING

    ◦ Successfully crawl through 2000 profiles before the account was disabled

    ◦ Overall 118,000 accounts were crawled

  • Evaluating the profile cloning ◦ 1st Experiment:

    ◦ How easily would contacts accept the friend requests, will they be willing or suspicious.

    ◦ The iCloner is used to duplicate profiles that have given consent for access to their information.

    ◦ 5 users were used and 705 contacts were reached from them

    ◦ Created 5 other forged users with random names and reached the same contacts

    ◦ Acceptance rate of the known users was: 60-90%

    ◦ Acceptance rate from random users was less than 30%

    ◦ These results confirm that by forging profiles, an attacker can

    achieve a higher degree of success in establishing contacts

    with honest users than when using fictitious accounts.


  • Evaluating the profile cloning ◦ 2nd Experiment

    ◦ 5 users were used and 705 contacts were reached from them

    ◦ Created 5 other forged users with random names and reached the same c

Click here to load reader

Embed Size (px)