NETWORKS Maria Agroti EPL682 1 1: All Your r Conta tacts ts - PowerPoint PPT Presentation

SOCIAL NETWORKS Maria Agroti EPL682 1

1: All Your r Conta tacts ts Are Belong ng to Us: Aut utomated ted Identi tity The heft t At Attac acks on Social al Networ orks by: Leyla Bilge, Thorsten Strufe, Davide Balzarotti, Engin Kirda 2

◦ How easy it is for an attacker to gain access to a large volume of personal user information. ◦ Automated Crawling identity theft: done by clowning a victims account and sending friend requests to their contacts. ◦ The stalkers hope to exploit the trust and the friendship between the victim and the contacts to achieve a theft and access sensitive information. ◦ Cross-Site Profile cloning attack : done by creating a forged profile in a network where the victim does not have an account and tries to reach the victims contacts that are already registered on both networks. 3

Social Networks ◦ Facebook Career based Social Networks ◦ LinkedIn is an employment oriented network site developed in 2003 ◦ XING is a career based social networking site developed in 2003 mostly for the German Market. ◦ https://www.xing.com/ ◦ MeinVZ from https://www.meinvz.net/Default (platform for non students based in Germany in 2008) ◦ StudiVZ from http://www.studivz.net/Default (platform for German students in 2005) 4

5

Worms ◦ On MySpace and Facebook ◦ A famous worm is the LoveLetter ◦ It used contacts from Outlook to send to the victims contacts a copy of themselves and spread more and more in that way to other users. ◦ When the worm is executed , it copies itself as the files LOVE-LETTER-FOR-YOU.TXT.VBS and MSKERNEL32.VBS in the Windows_system_folder and WIN32DLL.VBS in the Windows directory. ◦ It creates its own key named MSKernel32 under the Local machine registry key that causes programs to run and adds the value MSKERNEL32.VBS to it. ◦ This is easier due to the fact that networking sites did not have filtering mechanisms for malicious content. 6

◦ Networking sites are attracted by attackers due to having sensitive information on users. ◦ This information can be e-mail, education, hobbies, relationship status and background. ◦ This gets very easy for attackers to engineer attacks specified on each user. ◦ By creating a fake profile of a well known person, showed that even the close relatives of the forged profile can not tell the difference between a fake and a real profile on a social network site. ◦ By cloning an already registered profile is proved easier than it seems since contacts of the profile tend to accept requests if the profile is already part of the friends’ contact list. 7

iCLONER ◦ There are various components that crawl through social network sites and collect information and then use them to create cloned profiles automatically. ◦ Afterwards, send friend requests to other contacts. ◦ 1) Crawler : crawls and collects information about a user ◦ Essential is being a friend on the social network in order to have access ◦ Keeps track of profiles that could not be accessed due to restrictions ◦ 2) Identity Matcher: analyses the information from the database to identify profiles from the same person. ◦ Profile creator: creates accounts that do not exist yet or duplicate an existing account ◦ Message sender: sends friend requests to known contacts of the person forged ◦ 3) CAPTCHA ◦ The crawler is tested into StudiVZ, MeinVZ, Facebook and XING. 8

CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart ◦ The iCloner uses an analyser to break the Captcha that tries to prevent automated access ◦ It generates tests that are hard to solved by a computer application. ◦ Either recognize a text or listen to a recording 9

Breaking CAPTCHAS ◦ 1) ImageMagick for image recognition ◦ 2) Tesseract for text recognition to manipulate pixels ◦ MeinVZ and StudiVZ use CAPTCHAS ◦ By analysing the social networks, we establish that captchas are 5-letter words where the font, the background, foreground colours change and may be blurred. ◦ Perl where grid noise is removed and replaced with white pixels, then isolate the letters ◦ if letters overlap then ask for a new word because letters can not be isolated ◦ Then match its letter from the known fonts ◦ Match a letter by the number of pixels ◦ It is possible to request another Captcha again and again but only 3 errors are allowed. ◦ The Perl method was able to recognize the 29% of CAPTCHAS 10

Breaking reCAPTCHAS ◦ Used by Facebook ◦ It digitizes words so that they cannot be recognized by an OCR program(Optical Character Recognition) ◦ They are more difficult to be recognised by an automated program. ◦ Two words are displayed at the same time (number) 11

Cloning Attacks-Profile cloning ◦ Since attackers clone profiles and send request to known contacts, victims tend to accept request easily. ◦ The communication level differs between contacts therefore suspicion varies . ◦ Typically, users tend to accept request if there is a relationship between them ◦ The attacker may send a message of “ Dear friends, my computer broke down, please add again” ◦ Some contacts may realize the profile is fake and remove the friend, but still if the request was accepted then the attacker has successfully managed to access and copy the information from that profile. ◦ The attacker uses a real profile picture and name since the names are not unique in the network. 12

Cloning Attacks-Cross-site profile cloning ◦ Victims are registered in one network but are forged in another. ◦ By cloning a new account not registered to a network, the victim will most likely not detect it ◦ The attacker collects information of the victim from another network ◦ The social networks must be of the same nature i.e LinkedIn and XING ◦ iCloner is able to forge accounts between XING and LinkedIn ◦ After cloning one victim then the attacker checks if the friend contacts can be forged. ◦ The attacker will search by name in the network and then look in more detail to make sure the associated user is indeed registered or not. 13

Cloning Attacks-Cross-site profile cloning ◦ If more than one profiles are found then a comparison using a scoring system is done to find the correct profile ◦ i.e awarding 2 points for the right education as its highly likely users with the same name will have similar information ◦ 2 points for the company of the employer ◦ And 1 point for the city ◦ → if the sum is >3 then we conclude that the two profiles belong to the same person ◦ Google search the top 3 hits ◦ Once the contacts of one victim are identified then the process is done again by sending friend request to these users but this time the person sending the request is not yet a friend in that particular social network. ◦ Therefore not much suspicion is raised 14

Eva valua luatin ting ◦ Then we evaluate the attacks in terms of feasibility with real users. ◦ By experimenting with a large volume of real users by ◦ Testing in XING contacting 700 users ◦ Successfully crawl through 2000 profiles ◦ Testing the iCloner in StudiVZ and MeinVZ before the account was disabled ◦ Create 16 accounts that keep a low profile ◦ Overall 118,000 accounts were crawled ◦ Therefore make delayed request ◦ Expectations were that 100,000 pages will be reached (request) daily ◦ 15000 users will be contacted and their information will be accessed ◦ Crawlers were able to collect information from 40,000 profiles daily 15

Evaluating the profile cloning ◦ 1 st Experiment : ◦ How easily would contacts accept the friend requests, will they be willing or suspicious. ◦ The iCloner is used to duplicate profiles that have given consent for access to their information. ◦ 5 users were used and 705 contacts were reached from them ◦ Created 5 other forged users with random names and reached the same contacts ◦ Acceptance rate of the known users was: 60-90% ◦ Acceptance rate from random users was less than 30% ◦ These results confirm that by forging profiles, an attacker can achieve a higher degree of success in establishing contacts with honest users than when using fictitious accounts. 16

Evaluating the profile cloning ◦ 2 nd Experiment ◦ 5 users were used and 705 contacts were reached from them ◦ Created 5 other forged users with random names and reached the same contacts ◦ The message below is send to all contacts ◦ Clicked the link from both categories was close to 50 % ◦ This results confirm that the attacks can be effectively used for spamming users and directing a large number of users to web sites under the control of the attacker with no regards to the relationships between the users. 17

Evaluating the cross-site cloning ◦ Cloning a profile from one network to another if it does not exist yet and there are a significant amount of contacts of the profile to the other network already registered. ◦ From source network= XING to target network=LinkedIn ◦ Crawled 30.000 XING profiles were 3.700 were registered in LinkedIn ◦ Experiment: ◦ 5 users from XING cloned in LinkedIn ◦ 78 contacts also registered to LinkedIn out of the 443 ◦ LP: registered in LinkedIn as well ◦ SR: accepted friend request from the forged profiles 18