Social Networks - Safe or a Trap? Case Study.

Discussion in 'Ethical hacking Tips' started by indiansword, Mar 5, 2010.

  1. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net

    Introduction



    These days Social Networks are not just way to find your friends & stay connected. Now days they've become an important tool of marketing for all the people who main blogs, websites, forum etc. If you are a user who has been on Social Networks since a long time, I am sure you'd say that Social Networks aren't for people anymore, they are for spammers! I have been analyzing few Social Networks in last few weeks as a part of a project that I was working on. RESULTS WERE SHATTERING! Here in this article I am going to talk about some points which would make you look at Social networks in different way!

    Little About the Case I was working on:



    I was assigned on a case by one of my friends who works with Mumbai Cyber Cell, which is basically Internet Cops, but unfortunately they are not equipped and knowledgeable to solve some high profile thefts & scams. There was this lady who was wife on a big Business Tycoon in Mumbai. I can not disclose specific names due to confidentiality. So this lady's Facebook account was hacked. She had about 800 friends in her account, most of them were millionaires & rest were business friends. So the attacker who broke into the account, sent messages to all her friends saying that "Help me help the poors, send your donations via Moneygram OR Western Union". Almost 7 Lacs were stolen on the name of Donation just in 5 days & this lady didn't have a clue whats going on.

    Until, one day one of her friends were talking to her on cell phone and she asked her as in what happened to the charity and how is it going, that's when she got to know whats going around. Recovering money was taken care by Local Cops, but the task to understand how it could happen was assigned to me.

    My Steps


    1. Trojans, keyloggers, malwares?

      First of all I had to understand if it was a hack into victim's direct computer OR only just specific to Facebook account. I had a chance to analyse HDD of victim & after checking the HDD , registry strings, it seemed that there was no infection of malware, trojan, keylogger etc. Neither there was any network spoofing done remotely. So it was clear that the BOX wasn't hacked & the hack was specific to Facebook account.

    2. 0days & exploits of facebook?

      Later on, I was given access to the Facebook account. I started my work with searching for any latest 0days found for facebook. Because in most of this cases, attackers use 0days which are not patched on the websites. Surprisingly, on that time there was 0days released. All available exploits, were already fixed.

    3. Phishing?

      Victim was novice computer user. So I spoke to her regarding if she was remembered something where she was asked to confirm the username & password before she could view next Facebook page. But she said, that she haven't used Facebook in last few days and couldn't think of any such thing happening. I had to assume that it wasn't a phishing attack, as it was difficult to make the victim understand about phishing. Also, she confirmed that there wasn't any other account with the same password of facebook.

    4. Something new in facebook?

      Since there wasn't any known attack on her, it was getting difficult to identify the cause. I started analysing her Facebook usage patterns. Turns out that most of the time she would be playing games and other stuffs using Facebook application. There were about 5 applications which were installed in her Facebook account.

    5. Inside of Facebook applications:

      After some research & talking to few friends who developed few applications for Facebook in past, It was easy to understand that most of the applications are designed by an individual & team of individual, who are not really concerned with the security issues that might occur. SInce there only 4 applications listed in her profile, it was not raelly tough to go through them one by one. SURPRISINGLY, each of them had one or other vulnerability.
    BULL'S EYE!:

    Ultimately, after going through each and every applications, I got to know that the method that was used is knows as "REDIRECTION VULNERABILITY". In this vulnerability the actual website i.e. facebook.com, redirects the user to that application. But an attacker can modify the URL and redirect the user wherever he wants. A tutorial about redirection vulnerability is posted HERE.

    So there is this application called "Quel endroit le plus absurde serait parfais pour vos debats sexuels". Using this redirection vulnerability, victim was sent to a COOKIE STEALING PAGE, which sent the cookie to attacker & after victim was redirected back to facebook. So it is acceptable, that novice users would not even understand what exactly happened. Using these cookies, attacker used to login to the account and talk to victim's friends for charity! AND MY JOB IS DONE :).

    Should we use Social networks or not?



    After completing this task, it made me think how safe is it for people to use Social Networks. Forget about the spammers & marketing people, I am talking about all legit and novice people who just use it to talk to friends. SURPRISING thing was, 4 out of 4 applications that I tested, turned out to have some or other vulnerability in them.

    So after working on it, I can recommend to everyone who is reading this as below:

    "Use social networks, there is nothing wrong in them. These social networks are big companies & they have a dedicated team for security. So there are not many things that a hacker could take advantage of. BUT, the applications in them are made by starters, individuals & small timers. These application developers do not really care about the security, all they want is, people to use this application so they can get some advertisements to put on the applications and make some bucks out of it. They really are never concerned about the consequences. Amazing part is, even Facebook allows all the application to be released before getting them tested to their own satisfaction."


    I hope you'all found this article interesting. If yes, then comments and questions welcome! I worked really hard to solve this case for about 3 weeks. Ultimately, I was mentally satisfied with what I have done. This attack proves that Hacking Attacks change for every hacker :). I have listed the detailed information about this vulnerability HERE.
     
    Newmanaza and nimesh like this.
  2. Bhullarz

    Bhullarz New Member

    Joined:
    Nov 15, 2006
    Messages:
    253
    Likes Received:
    13
    Trophy Points:
    0
    Occupation:
    System Manager
    Home Page:
    http://www.tutors161.com
    Good One. But I must say social networking is like a knife. It can be useful as well as harmful too..
    I am also great fan of social networking... its a great thing for people like me who can not move out of the office to see my friends. Just sitting in my office / home, I am able to share my pics, videos, thoughts, etc... with my friends. It makes me feel like I am there with my friends. Its really nice to be part of social network. Just little careful usage can make anyone protected from the damage.
    1. Do not use public computers
    2. For passwords, use Virtual Keyboards
    3. Try to use HTTPS protocol for login, if possible
    4. Install PAID Security System for Computers
    5. Do not share passwords with anyone.
    6. Before responding to mail from social networking site, confirm the Correct URL in ADDRESS BAR.

    I think these precautions are enough for being safe on our side. If website is hacked, then we can not do anything..
     
  3. hanleyhansen

    hanleyhansen New Member

    Joined:
    Jan 24, 2008
    Messages:
    336
    Likes Received:
    8
    Trophy Points:
    0
    Occupation:
    Drupal Developer/LAMP Developer
    Location:
    Clifton
    Home Page:
    http://www.hanseninfotech.com
    This is very good info. I encountered a few applications on facebook as well with some vulnerabilities. In the end I think it all comes down to the brains of the user. The more you protect yourself, the less likely you are to fall for something like this. Good stuff.
     
  4. hanleyhansen

    hanleyhansen New Member

    Joined:
    Jan 24, 2008
    Messages:
    336
    Likes Received:
    8
    Trophy Points:
    0
    Occupation:
    Drupal Developer/LAMP Developer
    Location:
    Clifton
    Home Page:
    http://www.hanseninfotech.com
    The SecWorm forum looks pretty cool. Tell me a little about it.
     
  5. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    I dont this giving info here would be appropriate lol. Be in the community to know more abt it.
     
  6. hanleyhansen

    hanleyhansen New Member

    Joined:
    Jan 24, 2008
    Messages:
    336
    Likes Received:
    8
    Trophy Points:
    0
    Occupation:
    Drupal Developer/LAMP Developer
    Location:
    Clifton
    Home Page:
    http://www.hanseninfotech.com
    Lol. I mean what's it about like its primary focus.
     
  7. fourthdimension

    fourthdimension New Member

    Joined:
    Jan 8, 2009
    Messages:
    144
    Likes Received:
    11
    Trophy Points:
    0
    Home Page:
    http://www.easygeek.org
    Nice case study.
     
  8. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    SecWorm Network is a place where we bunch of Professional Security Experts release Programming, Ethical Hacking articles, tutorials, tools, videos etc for Hacking Awareness.
     
  9. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    Lol, sorry guys a lot of TYPOs in the article that i just noticed.
     
  10. Toddie

    Toddie New Member

    Joined:
    Jan 9, 2010
    Messages:
    52
    Likes Received:
    2
    Trophy Points:
    0
    great article and well written.

    I have always known that third party applications (on forums too) are the most vulnerable to exploits. for the obvious reasons that both the main developer is not working with the third party vendor and updates are far and few between.

    my biggest concern with social networking sites is BIG BROTHER.
    you are being profiled, categorized and in a nutshell, spied on.

    EDIT: 2 months and that facebook exploit still not fixed hahaha
    they do not have to touch the application itself, it is xss vulnerability via url and they could put a filter on that

    p.s. what kind of idiot tricks people into sending money to his account?
    the kind that gets caught. never leave a trail!

    it is nearly impossible to steal money via hacking because you have to withdrawl it at some point and thats traceable.
    I cant believe someone actually tried this.
     
    Last edited: Mar 9, 2010
  11. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    Earning money via hacking is not as tough as you are thinking. You said that somehow they will understand who withdrew the money, BUT ACTUALLY, in one other case the I worked, hacker made a DUMMY DRIVING LICENSE. This license was basically fake on some other guys name. Now, this hacker gets money from the victims using western union on this fake name and gets it in cash using this driving license as his identity proof. :)
     
  12. Toddie

    Toddie New Member

    Joined:
    Jan 9, 2010
    Messages:
    52
    Likes Received:
    2
    Trophy Points:
    0
    yes i am aware of this and i know someone who can make fake license however it is still sophisticated and difficult enough to be not worth the time money and effort.

    you can get caught using a fake id as well because you have to use it in person. it is not anonymous if you have to present it in person.

    the only way it would be feasible is if you used a new fake id for each transaction. this is definitely not worth it.

    because you use it once and someone reports it, and you can get caught in a police sting from using it again. and with todays technology you can be identified from the picture on the license just by running it through a scanner. and you would have to put your real picture on the license to make it useful.

    whats the max amount you can get from one transaction from western union? is it worth it?
     
  13. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    In cash you can collect from western union close to 1100 USD or <50k INR
     
  14. nimesh

    nimesh New Member

    Joined:
    Apr 13, 2009
    Messages:
    769
    Likes Received:
    20
    Trophy Points:
    0
    Occupation:
    Oracle Apps Admin
    Location:
    Mumbai
    Home Page:
    http://techiethakkar.blogspot.com
    nice article indiansword
    thanks for sharing your experiences and making us aware of such things :D
     
  15. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    thanks man, glad you liked it.
     
  16. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
  17. rajseo

    rajseo Banned

    Joined:
    Feb 23, 2010
    Messages:
    28
    Likes Received:
    1
    Trophy Points:
    0
    Nice information indeed..........
     
  18. carlmccaine

    carlmccaine New Member

    Joined:
    Apr 15, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    0
    Home Page:
    http://www.nestentertainment.com
    Thank you for that stunningly insightful post. I'm glad to be part of this forum because I'm learning from the members here, this will going to be a big help o n my part. Thanks.
     
  19. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
  20. Prateek.sem

    Prateek.sem New Member

    Joined:
    Apr 26, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    0
    Social networking is a nice way to communicate with friends and relatives...
    but it doesnt mean that we get addicted to it .. like i have seen my friends they all sit on thr PCs for hrs just to check thr scraps and msgs on facebook.

    Internet is like superpower it can make smart guy - supersmart & can make fool - superfool
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice