August 15, 2011

Accelerated Contamination in Social Networks

Ulysses Wang

If you follow our blogs or you are an active user of Facebook, you must have noticed that Facebook scams are very popular. A shocking video appears on your friends' walls and a few curious clicks then trick you into filling in a fake survey and spreading the scam message unintentionally - we have covered such cases before with the Death of Amy Winehouse and Walmart gift card offer. People might ask: how does it work? how many people are involved in the campaign? how long does a campaign last? and what can we do to combat these contaminations? Let us show our recent research on the Web 2.0 campaign.


Root of Social Network Contamination? 

Taking Facebook as an example, cyber criminals seed messages such as "Shocking video", "Free Facebook credits", and current hot topics. You may have seen messages on someone's wall similar to this:


You may be asked directly to share this post out to all your friends, or it can be done for you in 2 clicks as below...


A curious click will lead you to a template site which asks you to click the "Jaa" button twice. "Jaa" means "Share" in Finnish. If you do it, you will share the above message on your wall. Here is the code used to facilitate sharing in the background.


After sharing the message, visitors will be redirected to a page to do a survey. My gut feeling tells me that no one is going to get anything out of it except the cyber criminals...


Duration of the contamination?

Let's take an sample campaign that happened in the middle of July. The title of the campaign is "FATHER gets TOTALLY Embarrassed after entering Daughters Room", and here is the snapshot of the campaign in Facebook.


This campaign broke out on July 13th and peaked on July 21st according to our research: we can see in the graph below that there were on average 1600+ visitors online every few seconds on that date. The number then dropped as the URLs were perhaps blocked by the security vendor or the customer was educated by seeing alerts published by security companies. So the campaign lasted about two weeks, and new campaigns will last even less time.

People are the new "Worm"?

There was a fresh campaign titled "This ls what happens when ex GF forgets to turn her vvebcam off" on Facebook. It started on August 2nd and soon peaked on August 4th. Here is the graph which shows the online visitors every hour on August 4th.


The average number of online visitors every few seconds is 1760. If we assume that every visitor spends 2 minutes on the site for completing the survey or some other reason, let's do a rough account:

There will be 1,267,200 visitors for this campaign in a day. (24 X 60) / 2 X 1760 = 1,267,200

If one in two visitors shares the message on their wall and completes the survey, there will be 633,600 Facebook users involved in the campaign. 1,267,200 / 2 = 633,600

People click to see the shocking video, but most of them should not want to share it with their friends, especially after they are cheated into doing a survey. So I guess most of them will delete the message from their wall page as soon as they find it. Assuming that 99% of the visitors will delete the shocking video message from their wall as soon as they find it, the number of people who really share it will be 6,336.

According to Facebook Statistics, a user has 130 friends on average; therefore 82,368,000 Facebook users are exposed to the message via their friends' walls. 6,336 X 130 = 823,680

The above data was taken from an accounting site (http://whos.amung.us) which is used by cyber criminals.


As Facebook is so popular around the world, people from everywhere may be involved in the worldwide contamination. Look at the map of online users when the US is sleeping:


Currently, the scams only redirect Facebook users to a phishing Web site to complete a scam survey. If this type of contamination directs users to install rogue antivirus software and to exploit kits, the security impact is unthinkable. 


I am always on the social Web, what can I do? 

1. Be cautious about suspicious newsfeeds from your friends, and do not click suspicious links. Facebook sometimes gives you warnings, simply cancel them.  Notify your friends about suspicious newsfeeds.


2. Clean up your wall page if you happened to be tricked into spreading suspicious content, and report it to Facebook by clicking the "X" button on the right corner of the message. 

3. Educate your friends about common threats and scams. 

4. Install a security application such as Defensio™ to protect your account and filter suspicious newsfeeds.


Web 2.0 Protection and Control? 

Websense®  is updating the current URL category set. New categories will provide more granular control of the social Web and broaden protection in the area of modern security threats. Social Web controls will allow organizations to control and monitor user behavior on popular Web domains, such as, but not limited to: Facebook, Twitter, YouTube, and LinkedIn. 

The Defensio Web service – powered by Websense – takes aim at threats to social media, such as malicious content, comment spam, and other embedded threats. It could protect your personal or corporate Facebook profiles from spam and malicious content.  

ThreatSeeker Network™ scans more than 40 million Web sites for malicious code and scans nearly 10 million emails for unwanted content and malicious code every hour. The phishing Web site used in the scam will be found by ThreatSeeker Network and blocked.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.