SOCIAL NETWORKS
Maria AgrotiEPL682
1
1: All Your Contacts Are Belong to Us: Automated IdentityTheft Attacks on Social Networks
by: Leyla Bilge, Thorsten Strufe, Davide Balzarotti, Engin Kirda
2
◦ How easy it is for an attacker to gain access to a large volume of personal user
information.
◦ Automated Crawling identity theft: done by clowning a victims account and sending friend requests to their contacts.
◦ The stalkers hope to exploit the trust and the friendship between the victim and the contacts to achieve a theft and access sensitive information.
◦ Cross-Site Profile cloning attack: done by creating a forged profile in a network where the victim does not have an account and tries to reach the victims contacts that are already registered on both networks.
3
Social Networks◦ Facebook
Career based Social Networks
◦ LinkedIn is an employment oriented network site developed in 2003
◦ XING is a career based social networking site developed in 2003 mostly for the
German Market.
◦ https://www.xing.com/
◦ MeinVZ from https://www.meinvz.net/Default (platform for non students based in
Germany in 2008)
◦ StudiVZ from http://www.studivz.net/Default (platform for German students in
2005)
4
5
Worms
◦ On MySpace and Facebook
◦ A famous worm is the LoveLetter
◦ It used contacts from Outlook to send to the victims contacts a copy of themselves and spread more and more in that way to other users.
◦ When the worm is executed, it copies itself as the files LOVE-LETTER-FOR-YOU.TXT.VBS and
MSKERNEL32.VBS in the Windows_system_folder and WIN32DLL.VBS in the Windows directory.
◦ It creates its own key named MSKernel32 under the Local machine registry key that causes programs to run and adds the value MSKERNEL32.VBS to it.
◦ This is easier due to the fact that networking sites did not have filtering mechanisms for malicious
content.
6
◦ Networking sites are attracted by attackers due to having sensitive information on users.
◦ This information can be e-mail, education, hobbies, relationship status and background.
◦ This gets very easy for attackers to engineer attacks specified on each user.
◦ By creating a fake profile of a well known person, showed that even the close relatives of the
forged profile can not tell the difference between a fake and a real profile on a social network
site.
◦ By cloning an already registered profile is proved easier than it seems since contacts of the
profile tend to accept requests if the profile is already part of the friends’ contact list.
7
iCLONER◦ There are various components that crawl through social network sites and collect information and then use them
to create cloned profiles automatically.
◦ Afterwards, send friend requests to other contacts.
◦ 1) Crawler: crawls and collects information about a user
◦ Essential is being a friend on the social network in order to have access
◦ Keeps track of profiles that could not be accessed due to restrictions
◦ 2) Identity Matcher: analyses the information from the database to identify profiles from the same person.
◦ Profile creator: creates accounts that do not exist yet or duplicate an existing account
◦ Message sender: sends friend requests to known contacts of the person forged
◦ 3) CAPTCHA
◦ The crawler is tested into StudiVZ, MeinVZ,
Facebook and XING.
8
CAPTCHACompletely Automated Public Turing test to tell Computers and Humans Apart
◦ The iCloner uses an analyser to break the Captcha that tries to prevent automated access
◦ It generates tests that are hard to solved by a computer application.
◦ Either recognize a text or listen to a recording
9
Breaking CAPTCHAS
◦ 1) ImageMagick for image recognition
◦ 2) Tesseract for text recognition to manipulate pixels
◦ MeinVZ and StudiVZ use CAPTCHAS
◦ By analysing the social networks, we establish that captchas are 5-letter words where the font, the
background, foreground colours change and may be blurred.
◦ Perl where grid noise is removed and replaced with white pixels, then isolate the letters
◦ if letters overlap then ask for a new word because letters can not be isolated
◦ Then match its letter from the known fonts
◦ Match a letter by the number of pixels
◦ It is possible to request another Captcha again and again but only 3 errors are allowed.
◦ The Perl method was able to recognize the 29% of CAPTCHAS
10
Breaking reCAPTCHAS
◦ Used by Facebook
◦ It digitizes words so that they cannot be
recognized by an OCR
program(Optical Character
Recognition)
◦ They are more difficult to be
recognised by an automated program.
◦ Two words are displayed at the same
time (number)
11
Cloning Attacks-Profile cloning
◦ Since attackers clone profiles and send request to known contacts, victims tend to accept
request easily.
◦ The communication level differs between contacts therefore suspicion varies.
◦ Typically, users tend to accept request if there is a relationship between them
◦ The attacker may send a message of “ Dear friends, my computer broke down, please add
again”
◦ Some contacts may realize the profile is fake and remove the friend, but still if the request was
accepted then the attacker has successfully managed to access and copy the information from
that profile.
◦ The attacker uses a real profile picture and name since the names are not unique in the network.
12
Cloning Attacks-Cross-site profile cloning
◦ Victims are registered in one network but are forged in another.
◦ By cloning a new account not registered to a network, the victim will most likely not
detect it
◦ The attacker collects information of the victim from another network
◦ The social networks must be of the same nature i.e LinkedIn and XING
◦ iCloner is able to forge accounts between XING and LinkedIn
◦ After cloning one victim then the attacker checks if the friend contacts can be forged.
◦ The attacker will search by name in the network and then look in more detail to make
sure the associated user is indeed registered or not.
13
14
Cloning Attacks-Cross-site profile cloning
◦ If more than one profiles are found then a comparison using a scoring system is done to
find the correct profile
◦ i.e awarding 2 points for the right education as its highly likely users with the same name will have similar information
◦ 2 points for the company of the employer
◦ And 1 point for the city
◦ →if the sum is >3 then we conclude that the two profiles belong to the same person
◦ Google search the top 3 hits
◦ Once the contacts of one victim are identified then the process is done again by sending
friend request to these users but this time the person sending the request is not yet a
friend in that particular social network.
◦ Therefore not much suspicion is raised
Evaluating
◦ Then we evaluate the attacks in terms of feasibility with real
users.
◦ By experimenting with a large volume of real users by
contacting 700 users
◦ Testing the iCloner in StudiVZ and MeinVZ
◦ Create 16 accounts that keep a low profile
◦ Therefore make delayed request
◦ Expectations were that 100,000 pages will be reached (request) daily
◦ 15000 users will be contacted and their information will be
accessed
◦ Crawlers were able to collect information from 40,000
profiles daily
15
◦ Testing in XING
◦ Successfully crawl through 2000 profiles before the account was disabled
◦ Overall 118,000 accounts were crawled
Evaluating the profile cloning◦ 1st Experiment:
◦ How easily would contacts accept the friend requests, will they be willing or suspicious.
◦ The iCloner is used to duplicate profiles that have given consent for access to their information.
◦ 5 users were used and 705 contacts were reached from them
◦ Created 5 other forged users with random names and reached the same contacts
◦ Acceptance rate of the known users was: 60-90%
◦ Acceptance rate from random users was less than 30%
◦ These results confirm that by forging profiles, an attacker can
achieve a higher degree of success in establishing contacts
with honest users than when using fictitious accounts.
16
Evaluating the profile cloning◦ 2nd Experiment
◦ 5 users were used and 705 contacts were reached from them
◦ Created 5 other forged users with random names and reached the same contacts
◦ The message below is send to all contacts
◦ Clicked the link from both categories was close to 50 %
◦ This results confirm that the attacks can be effectively
used for spamming users and directing a large number of
users to web sites under the control of the attacker with no regards to
the relationships between the users.
17
Evaluating the cross-site cloning
◦ Cloning a profile from one network to another if it does not exist yet and there are a significant
amount of contacts of the profile to the other network already registered.
◦ From source network= XING to target network=LinkedIn
◦ Crawled 30.000 XING profiles were 3.700 were registered in LinkedIn
◦ Experiment:
◦ 5 users from XING cloned in LinkedIn
◦ 78 contacts also registered to LinkedIn out of the 443
◦ LP: registered in LinkedIn as well
◦ SR: accepted friend request from the forged profiles
18
Suggestions
◦ Even advanced users can be tricked in accepting requests from cloned profiles.
◦ The social network could give more information on the request i.e country or date of the profile creation
◦ Improve the security in contact requests
◦ This does not impose any privacy issues if users are willing to establish trust and share personal information
◦ The CAPTCHAS could be more difficult to break
◦ Attackers use Optical Character Recognition programs to separate symbols
◦ The images could be rendered
◦ Symbols could overlap with one another
◦ Lines spanned used over the symbols
19
Related Works
◦ Social networks rely on the assumptions that users are honest.
◦ For Sybil attacks there are two approaches, SybilGuard(Above)
and SybilLimit (Below)
** Sybil profiles are pseudonymous accounts with the purpose
to gain influence through the social network**
◦ SybilGuard defines a social network as a graph whose vertices
◦ represent users, and whose edges represent the human established trust relations in the real world.
◦ In comparison to SybilGuard, Limit ensures more optimal and acceptable limits for the number of sybil nodes in the network.
◦ However, in our attacks the friendship connections are legitimate and the system is trying to contact to a high number of existing “honest” nodes. Therefore, our fake accounts would not be detected by the previous approaches.
20
Conclusions◦ Many social networking sites have millions of registered users
◦ It is not uncommon for Internet users to be participants in more than one social networking
site (e.g., LinkedIn and Facebook).
◦ We showed how easy it would be for an attacker to launch automated crawling and identity
theft like cloning attacks against five popular social networking sites.
◦ We show that it is feasible to launch an automated, cross-site profile cloning attack where
the victim’s contacts are stolen and reestablished in a social network where she is not
registered yet.
◦ Although social networking sites are useful, it is important to raise awareness among users
about the privacy and security risks that are involved.
21
2: COMPA: Detecting Compromised Accounts on Social Networks
by: Manuel Egele, Gianluca Stringhini, Christopher Kruegel, and Giovanni Vigna
22
◦ Fake accounts usually have an anomalous behaviour.
◦ Attackers start to compromise legitimate accounts to exploit the trust and relationships with the contact list.
◦ In this paper we present an approach to detecting compromised accounts from Twitter and Facebook
◦ A tool called COMPA that implements the approach explained to identify compromised accounts using a dataset
of 1.4 billion twitter messages and 106 million Facebook messages
◦ 83% of users received at least one unwanted message in social network in 2008
◦ Malware, phishing and spam campaigns have been carried out in social networks
◦ Sybil profiles are pseudonymous accounts with the purpose to gain influence through the social network.
◦ Compromised profiles are accounts that have been taken over by an attacker
23
◦ It is hard to differentiate between sybil and compromised accounts.
◦ Compromised accounts are valuable to attackers
◦ Allow exploitation of trust between the network
◦ In order to detect malicious campaigns an analysis is done to the message send.
◦ Messages may have same URL link or contents may overlap.
◦ Therefore, what is done is clustering of messages with similarities.
◦ To cluster messages , systems try to distinguish malicious threats from the URL
◦ Systems cannot distinguish messages are send from fake or compromised
accounts.
◦ With almost ~80% success rate
◦ After finding a fake account, it can be deleted and therefore minimizing the its affect in the network.
24
Detection of compromised accounts
◦ The approach does not depend on URLs only
◦ Can detect scam messages that include phone numbers in them
◦ Focus on detecting compromised account to removed them privately and minimize
their affect on the network.
◦ A noticeable change in the behaviour of an account can tell if it is compromised.
◦ Behavioural Profile: Is a collection of statistical models
25
Detection of compromised accounts
◦ Therefore, these behavioural profiles make it easy to assess the messages in the future
◦ If a message differs from typical behaviour then the profile may be compromised
◦ The approach looks for similar messages posted on one social network that violate the
behavioural profile of the users accordingly.
◦ 1) check for similar set of messages
◦ 2) check these messages violate the corresponding behavioural profile
◦ This is because attackers mostly typically aim to distribute malicious messages throughout
many compromised accounts.
26
Behavioural Profiles
◦ Uses the past information on a network activity to capture a user’s normal behaviour.
◦ Use a list of messages the user posts in chronological order
◦ Twitter: the public tweets
◦ Facebook: the messages posted on the user’s wall and what the user post on friends’ walls as well
◦ How a user uses their social account must be considered in order to avoid anomalies, i.e the client
applications or languages
◦ Create statistical models with a set of values extracted from each message itself (time sent, client
application)
◦ Each model produces a score either 0 or 1 (0 : normal, 1: anomaly)
27
Models of characteristics◦ Time of the day
◦ The hours of the day in which the user is typically active (for example lunch breaks, sleeping hours)
◦ Message source
◦ Name of application source, mobile or web access, android or iOS,
◦ Message Language
◦ The language of input is expected not to change as users only use one or two languages
◦ Message Topic
◦ A set of topic frequently used by the users
◦ Links in Messages
◦ Such as blogs, pictures, news articles etc
◦ Direct User Interaction
◦ Interactions with other users, mentions of friends etc
◦ Proximity
◦ Users befriend other users that are close to them using IP addresses for example 28
Training the models◦ Use the messages and their characteristics to create models (source and links)
◦ Models are represented like: M: <fv, c> where fv is a value of a feature and c is the number of messages
the feature
◦ Categories of features:
◦ Mandatory: each message has one feature present
◦ Must have features:
1. Time of the day
2. Source
3. Proximity
4. Language
◦ Optional : each message does not have to have a feature present
◦ Multiple feature values for messages
◦ Links
◦ Direct interaction
◦ Fv=null for each element 29
30
◦ B) Optional features:
◦ If M contains a tuple with fv as a first element, the message is considered to match the behavioural profile, and an anomaly score of 0 is returned.
◦ The anomaly score in this case is defined as the probability p for the account to have a null value for this model
Evaluate new messages after training
◦ Check whether a message
violates the behavioural
profile by calculating a score
◦ A) Mandatory features:
◦ If M contains a tuple with fv as a first element, then the tuple < fv , c > is extracted from M.
◦ If no value, the message is considered anomalous.
◦ The procedure terminates here and an anomaly score of 1 is returned.
◦ Check if fv is anomalous in all models
Final anomaly score
◦ After evaluating every message of each model
◦ Then combine the overall score for each message
◦ This anomaly score is the weighted sum of the values for all models.
◦ But each network will require different weights for the various features.
◦ A message is said to violate an account’s behavioural profile if its overall anomaly score
exceeds a threshold.
31
Robustness of these models◦ It is very difficult for an attacker to simulate the normal behaviour of a profile in order to not raise suspicions, even
with the known history of the victim’s profile.
◦ For example matching the client application of the victim (iPhone) where the attacker does not have control over
that is hard and will not match the history of the victim.
◦ The attacker must host into a legitimate third party domain of the user
◦ In order to match the client application
◦ The attacker will not compromise third party sites that the victims used in the past
◦ Crafting customized messages in hard for the attacker
◦ History of all the victims is required
◦ Customizing messages is difficult to coordinate large-scale attacks.
◦ Delays must be done to match active time of victims
◦ Various topics that need to match the user’s characteristics
◦ Experiments with COMPA show the identification of campaigns that use compromised accounts to distribute
malicious messages. 32
Grouping Similar Messages
◦ One message that violates the model does not indicate an attack.◦ Since the user may be experimenting with behaviour
◦ The account cannot be flagged yet until a number of similar messages occurs within a time interval.
◦ If an attacker sends just one message from each user then this cannot be detected even if the messages have similarities.
◦ An approach is to firs group the similar messages and then analyse them◦ Similarity of content: an n-gram analysis of similar contents.
◦ If messages share at least one stream of 4 consecutive identical words
◦ Similarity in URLs: if messages contain at least one link to a similar URL
◦ it is common to include identifiers into the query string of a URL-after a question mark for example◦ Therefore, this similarity measure discards the query string and relies on the remaining components of a URL
◦ Many users use URL shortening services while adding links to their messages. ◦ different short URLs could point to the same page that cannot be detected with COMPA
◦ On Twitter, there are millions of URLs per day (most of which are shortened).
33
Detecting Compromised Accounts
◦ As mentioned before, a clustering of similar messages is done through a certain time interval
◦ The interval is called the observation interval
◦ The group is called suspicious group
◦ Analyse if each message violates the behavioural model and make a final decision if compromised.
◦ If the fraction of the messages that violate their behavioural profiles exceeds a threshold th then are
suspicious.
◦ small groups of similar messages could appear, it may lead to false positives if the threshold for small
groups is too low
◦ Since large groups of messages are not common
◦ For large groups, it should be sufficient to raise an alert if a smaller percentage of messages violate
their behavioural profiles.
◦ Experiments show that the threshold does not influence the quality of the results.
◦ COMPA declares all users in the group as compromised. 34
Detection (2)
◦ A big problem in detection of these accounts is the fact that many applications use templates to
generate messages that will be grouped as suspicious,
◦ This are called bulk applications that send similar messages in large amounts
◦ COMPA has to distinguish the automated posts made with templates
◦ COMPA calculates the average pairwise Levenshtein ratios for these messages which tells the
similarity between 2 strings.
◦ COMPA then calculates the average pairwise Levenshtein ratios for these messages.
◦ But past messages from such applications contribute to user’s behavioural profiles, and additional
messages do not indicate a change in behaviour if users are not new.
◦ COMPA calculates the number of distinct accounts in the social network that made use of that
application before it has sent the first message that violates a user’s behavioural profile.
35
Evaluation using COMPA◦ Compare the messages and the behavioural profiles on Twitter and Facebook
◦ COMPA rans on 10% of all public Twitter messages on a single computer (Intel Xeon X3450, 16 GB ram).
36
Twitter:
◦ 1.4 billion public tweets (May 13-Aug 12, 2011)
◦ Observation interval: 1 hour
◦ Regenerated behavioural profiles every hour
◦ Used RESTfull API services which allowed 20k
API calls in the span of an hour
◦ Retrieved timeline data for either the most
recent three days, or the user’s 400 most recent
tweets, whatever resulted in more tweets.
Facebook:
◦ Account where crawled in 2009 because Facebook does not easily gives ability for collection of data
◦ Facebook is actively preventing researchers from collecting newer datasets from their platform or pursue legal action.
◦ Accounts only from the same geographic networks (people that live on the same area)
◦ 106 million wall posts collected from five geographic networks (i.e., London, New York, Los Angeles, Monterey Bay, and Santa Barbara)
Training the classifier◦ How much weight should each characteristic have ?
◦ In Twitter using a training dataset consisting of 5,236 (5142 legitimate, 94 malicious) messages with
their associated feature values as follows:
◦ Source (3.3),
◦ Personal Interaction (1.4),
◦ Domain (0.96),
◦ Hour of Day (0.88),
◦ Language (0.58),
◦ Topic (0.39).
◦ Accounts are compromised:
◦ if a URL leads to a phishing page,
◦ if a third party link leads to a malicious page,
◦ if topics change from personal to promoting free gadgets and working from home.
◦ BUT tweets that may indicate a compromised account are often removed37
From twitter◦ COMPA found phishing campaigns that use the same URLs and the same text in their malicious messages.
◦ 365,558 groups were reported as legitimate
◦ Overall, our system created a total of 7,250,228 behavioural profiles.
◦ COMPA identified966,306messagesthatviolate the behavioural profiles of their corresponding accounts.
◦ 400,389 messages were deleted before the system tried to compare these messages to their respective
behavioural profiles
38
False positives
◦ Analysis of the accounts to identify f they are indeed compromised.
◦ False positives are accounts that are falsely labeled compromised
◦ A) This may happen because there was change in behaviour.
◦ Two groups belong to the same campaign if all pairwise Levenshtein ratios of five random messages from each
group is at least 0.8.
◦ Only 24% of messages where available 3 months after being indicated as compromised.
◦ This means that for 76% of the messages that COMPA identified as being sent by a compromised account,
either Twitter or the user herself removed the message.
◦ 96.2% of these accounts were still accessible, 0.6% was suspended by twitter, the 3.2% where NOT FOUND
◦ COMPA did not flag as compromised (95.5%, 0.5%, and 4%,respectively)
39
False positives (2)
◦ A classifier analyses 94k accounts flagged as compromised
◦ Only 152 or 0.16% were flagged as spammers
◦ 100/152 were really compromised
◦ 52 only were false positives.
◦ No cluster consisted only false positives. The main reason why they were detected as behaviour
violations by COMPA is that they posted an update in an hour during which they had never been
active before.
◦ The compromised accounts that COMPA reports are substantially different than the fake accounts
typically set up for spamming.
◦ The probability of a false positive depending on the number of tweets that were available to calculate
the behavioural profile shows that COMPA produces less false positives for accounts whose
historical data is comprehensive. Therefore the more data we have the more accuracy. 40
False Negatives◦ Compromised accounts that have not been labelled as compromised
◦ COMPA created 64k to built the behavioural profiles from the messages retrieved.
◦ 4% of them violated their behavioural profiles.
◦ Also extracted all URLs to check if there is a malicious URL then it is highly likely that the account is
either fake or compromised.
◦ Shortened URLs have been expanded
◦ Checked with Spamhaus Domain Blacklist ,Google Safebrowsing ,PhishTank , Wepawet and
Exposure
◦ 79 tweets contained 46 unique URLs
◦ 33 out of them violated the behavioural profile
◦ The reason COMPA did not flag these accounts in the first place is that the clusters generated by these
messages were too small to be evaluated.
◦ 39 accounts that COMPA did not flag as compromised, 20 were detected as fake accounts by the classifier
by Stringhini.41
From Facebook
◦ Observation interval reached 8 hours long
◦ Experiments showed that some popular applications were false positives.
◦ Therefore, these popular applications were removed from the dataset.
◦ COMPA generated 206,876 profiles where 11,499 were compromised accounts.
42
Case Studies
◦ Most accounts that have been compromised were part of phishing scams that had the purpose to
advertise more followers to the victims.
◦ Attackers lure victims into paying for more victims
◦ Since many users consider the followers a status symbol, this was very tempting
◦ Usernames and passwords were shared
◦ After, the attacker automatically posts a tweet to advertise itself
◦ Other scams included having to call a phone number (by promising Free gas cards etc).
◦ These scams did not include URL links in them therefore were harder to detect.
◦ Outbreaks of XSS worms showed that compromised accounts are expected to diverged from their
normal behaviour.
43
Limitations
◦ As for the attackers if they are aware of COMPA, then they will try to prevent accounts from being
detected.
◦ The attacker can align the behaviour to match the behavioural profiles
◦ But it will time consuming to gather information and mimic a victim without being detected.
◦ Also networks have automated crawling mechanisms and slow down the process of stealing
information
◦ Attacker could try to avoid the similarity measures so that they may not get grouped together
◦ This can be avoided by COMPA having more comprehensive measures
44
Related Works◦ Early detection systems on the social networks focused on
identifying fake accounts and spam messages by leveraging features
that are used for recognizing characteristics of spam accounts
◦ The URLs in messages or message similarity in user posts
◦ Another approach is to detect fake profiles by analysing
interconnected groups of profiles.
◦ Attackers may start legitimate accounts that are compromised
◦ Moreover, the system needs to know whether an account has sent spam before it can classify it as fake or compromised.
◦ COMPA detects compromised accounts when they are not involved in spam campaigns.
◦ Another approach called Monarch detects malicious messages on
social networks based on URLs that link to malicious sites. But it
misses other types of malicious messages.
◦ The scams based on phone numbers that COMPA detected would not be detected.
45
COMPA approach overall
◦ Is a prototype tool that develops statistical models of behavioural profiles
◦ It DETECTS compromised accounts
◦ It CAN delete offending messages or RESET passwords
◦ It IDENTIFIES scam campaigns that tried to exploit phone numbers instead of using URLs
◦ Results:
◦ In Twitter: 383k accounts with 1.4 billion tweets analysed
◦ In Facebook: 11k accounts with 106 million messages analysed
◦ It reliably detects compromised accounts, even though we do not have full visibility of every
message exchanged on Facebook and Twitter
46
THANK YOU!!
47
