Miscreant of Social Networks

Paper1: Social Honeypots, Making Friends With A Spammer Near You

Paper2: Social phishing

Kai and Isaac

Paper1, Motivation

Online Social Networks (OSNs) are rapidly growing in popularity, e.g., Facebook, MySpace, Hi5, etc

OSNs provide new opportunities for miscreants to conduct their activities

Ex: phishing more effective when done in the context of a social network

• Understanding different types of social spam and deception tactics is the first step towards countering these vulnerabilities.

Methodology

• Harvesting deceptive spam profiles from social networking communities using social honeypots.

• Providing a detailed characterization (from 6 aspects) of the spam profiles that were collected with the social honeypots.

Social Honeypots

51 identical profiles Single, Athletic, Male, Caucasian One in each state and Washington DC

Largest city in each state for anonymity Always logon MySpace, 24 hours per day, and 7 days

per week. Harvested data

Conduct a four month evaluate from Oct.1 2007 to Feb.1 2008

Harvest 1,570 friend requests (and corresponding spam profiles)

Characterization

• Temporal distributions of spam friends request Peak at Columbus Day, Halloween, Thanksgiving

Characterization (cont.)• Geographic distributions of spam friends

request Midwestern (receive most), California (send most)

97.7% requests are from spam profiles that reported a location that did not match the city/state associated with the honeypot profile that received them.

Characterization (cont.)• Spam Profile Duplication

65 spam profiles sent friend requests to more than one of our honeypots

40 out of 51 honeypots (78.4%) received duplicated requests.

Once rejected by one honeypot, that profile would not send request again.

Characterization (cont.)• Spam Profile Examples

Click Traps: lead users to a nefarious webpage Friend Infiltrators: do not have overtly deceptive

elements; spam the users through every available communication method (message/comment spam).

Pornographic Storytellers: through “about me” section, which contains such stories.

Japanese Pill Pushers: a kind of advertisement, also through “about me” section.

Winnies: all these profiles have the same headline “Hey its winnie”

Characterization (cont.)• Spam Profile Demographics

All are women, aged 17-34 (99.4% 21-27), single, attractive.

30% of the profiles have more than one friend.

Distribution of # of friends associated with spam profiles.

Characterization (cont.)• Advertised Webpages

2,355 URLs in spam profiles redirected to 11 different destinations.

Profiles that didn't have a URL in the “About Me” section were Friend Infiltrators.

93.3% of pages were for redirection 6.6% were pornographic storytellers 0.1% (only 1 page) was a phishing attack

Paper 2: Social Phishing

• The motivation is to provide us with a baseline success rate for individual phishing attacks. Year: 2005 Location: Indiana University

• The key question is how easily and effectively can a phisher exploit social network information found on the Internet to increase the yield of a phishing attack? Very easily Very effectively

Setup

Setup (cont.)

• phishing experiment steps:1. Blogging, social network, and other public data is harvested2. Data is correlated and stored in a relational database3. Heuristics are used to craft spoofed email message by Eve “as

Alice” to Bob (a friend)4. Message is sent to Bob5. Bob follows the link contained within the email message and is

sent to an unchecked redirect6. Bob is sent to attacker whuffo.com site7. Bob is prompted for his University credentials8. Bob’s credentials are verified with the University authenticator9. a. Bob is successfully phished

b. Bob is not phished in this session; he could try again.

Experimental Results

• Control group: emails from an unknown fictitious person using IU university email address.

• Social group: email from a known friend.

• Social networking plays a critical role !

Experimental results (Cont.)

• Temporal distribution

Experimental results (Cont.)

• Response dynamics: Distributions of repeat authentications and refreshes of authenticated users. (victims who successfully authenticated were shown a fake message indicating the server was overloaded and asking them to try again later)

Experimental results (Cont.)

• Gender effect

Experimental results (Cont.)

• Demographic effect1. Success rate of phishing attack by target class.

T-test: Difference in success rates are significant for all classes (p <= 0.01)2. Success rate of phishing attack by target major.

T-test: Difference in success rates are significant for all majors (p <= 0.02)

Conclusion

Social Network information is valuable to miscreants because it allows them to leverage the trust people have built with their friends.

Social network aware phishing attacks are significantly more successful that attacks from untrusted sources.

How could this relate to our proj.?

• Motivation: Make friends on Facebook as many as you can (so that we can harvest information).

• Method: Automatically send friend requests to facebook users and solicit their confirmation.

• How long we need to send all requests? Facebook: millions of users, let’s suppose there are

175,000,000 (after survey) Automatic request sending: 10s per request Approximately: 486111 hours, 20254 days, 55years

(of course, we can parallel), however, …

Cont.

• How long do we need to receive? I send requests to 10 of my friends (very good friendship)

2 of them accept my invitation that day, 3 within a week, 2 within two week, 1 after a month, 2 not yet

Why this happens and what lessons can we learn from this to our proj.?

• Thinking Is our project too random to be controlled?

Can we use a different angle to deal with our proj.?

By assimilating the methodologies in these two papers, for example, instead of befriending with as many as we can, we study how different kinds of people deal with different kinds of friends invitation? Including, temporal, geographical, gender, demographical, etc,

Similar, but the problems are orthogonal