Why social media networks are not as secure as we think
In the past two weeks, we have learnt of security vulnerabilities in both Facebook and LinkedIn, two of the leading social media websites in the world.
Spreading through both website’s messenger mechanisms, both show that miscreants are now turning their attentions to where people might not expect such to be sent a phishing link and trying their luck.
In the case of LinkedIn, the network built for business and is now primarily used for recruitment by HR professionals, a team of researchers from Israel-based Check Point Software Technologies found the website’s chat function to allow the spreading of malicious files.
The researchers note that because of the sites inherent trustworthiness, “Users open messages under the assumption that the information is safe, secure and sent by a user with good intentions. Unfortunately, this trusting assumption can sometimes be abused.”
Although LinkedIn restricts the file types which can be sent through its chat function, Check Point’s Eran Vaknin, Dvir Atias and Alon Boxiner said they were able to identify multiple vulnerabilities that take advantage of LinkedIn’s security restrictions.
When a file in one of allowed formats is uploaded and sent, LinkedIn scans the attachment for malicious activity. “However,” the researchers note, “it was discovered that attackers could bypass the security restrictions and attach a malicious file to the LinkedIn messaging service.”
Effectively, LinkedIn failed to detect a file formatted in .jpg which is in fact a malicious file masquerading as the real deal.
The blog post from Check Point shows how a PDF loaded with malicious Powershell scripts can be uploaded to LinkedIn’s CDN server and the payload goes undetected by LinkedIn’s security protections.
Once downloaded and opened by the user a REG file is created in the Windows Registry database, “giving attacker control over the user’s machine. From now on, the script will run each time the user logs into his/her computer.”
Although it’s difficult to comment on the likelihood of how such an attack would behave out in the wild, as users’ machines have very different anti-virus solutions and will differ in security settings depending on the company.
It should ring certain alarm bells which highlight that there isn’t an attack vector which criminals won’t try to gain control of a machine. And given LinkedIn’s prolific use within an enterprise environment, this presents multiple challenges.
Anyone from C-suite executives down to HR professionals, both of whom will have highly private information on their machines is at risk.
Ilia Kolochenko, chief executive of High-Tech Bridge, said: “Vulnerabilities affecting applications and infrastructure of social networks are probably not the highest risk, despite the famous LinkedIn breach in 2012 and other related incidents. Professional social engineers with fake, but convincing, profiles can get quite a lot of valuable information from social networks such as LinkedIn. Moreover, even passive attacks can be detrimental for companies. Many security professionals post internal, and even confidential, data of their employers in private groups, but such groups are far from being reliable and safe.”
Much of the same risks were learnt of in the case of malware spreading through Facebook, which was discovered by David Jacoby, a security researcher from Kaspersky Lab.
Jacoby described in a blog post how he was sent a link to a video file in Facebook Messenger, which was pointing to a Google document file. It had taken a photo of the victim from its Facebook page and created a dynamic landing page that looks like a playable movie to give the page credibility.
“When the victim clicks on the fake playable movie, the malware redirects them to a set of websites which enumerate their browser, operating system and other vital information. Depending on their operating system they are directed to other websites,” said Jacoby.
The malware is said to work in both Windows and MacOS, and is browser independent, meaning it doesn’t fail or shut down based on whichever browser the user is looking at.
“When changing the User-Agent header (browser information) the malware redirects you to different landing pages. For example, when using Firefox, I was redirected to a website displaying a fake Flash Update notice, and then offered a Windows executable. The executable is flagged as adware,” he said.
Jacoby opined that when using Chrome, he was redirected to a website which fakes the look and feel of YouTube and displays a fake error message tricking the user to download a malicious Google Chrome extension from the Google Play Store. That Chrome Extension happens to be a Downloader, which downloads a malicious file to a victim's computer.
Jacoby warned that the campaign is unique in that it also uses Google documents for customised landing pages. But he added that no extra malware is being used in the campaign, and it is “most likely making a lot of money in ads and getting access to a lot of Facebook accounts.”
He said that although the initial spreading mechanism seems to be Facebook Messenger, how it actually spreads via Messenger is still unclear. “It may be from stolen credentials, hijacked browsers or clickjacking. At the moment, we are not sure because this research is still ongoing,” said Jacoby.
This too could present a very tricky scenario for any enterprise, as with the ubiquity of social media websites, so do the opportunities for such instances to occur within a closed enterprise environment grow. It will also be a challenge to separate permissible use of social networks, if banned, due to the use of social media by marketing teams.
Enterprises would be well advised to devise rigorous training for their staff so they are able to spot such threats. If social media websites are banned, employees tend to practise ‘shadow IT’ and find ways around the ban which could open their machine up to more online dangers.
Kolochenko added: “Continuous security awareness and employee training in pair with user-machine and network hardening will certainly solve a lot of problems related to social networks (in)security. More sophisticated anti-fraud and identity verification system will help a lot.”