Bsides Sanders/Allen
-
Upload
zachary-allen -
Category
Internet
-
view
340 -
download
0
description
Transcript of Bsides Sanders/Allen
![Page 1: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/1.jpg)
A measure of human susceptibility
Zack Allen, Security/Research Engineer, ZeroFOX
Chaim Sanders, Security Consultant, Cigital
![Page 2: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/2.jpg)
Overview
Disclaimer
Motivation
Background
Infrastructure & Process
Results/Forecast
![Page 3: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/3.jpg)
Disclaimer
The views, opinions and research expressed in this presentation are those of the authors and do not reflect the official policy or position of their employers
![Page 4: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/4.jpg)
![Page 5: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/5.jpg)
Motivation
![Page 6: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/6.jpg)
Motivation
![Page 7: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/7.jpg)
Background
From 2008 to 2013.. [1]
LinkedIn 33 million 225 million
Twitter 6 million 232 million
Facebook 100 million users Over 1 billion
![Page 8: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/8.jpg)
Background
Data breaches 2012-2013
Linkedin [2] 8 million passwords leaked No salt
Twitter [3] 250k user accounts hacked ‘Not the work of amateurs’
Facebook [4] 318,000 stolen creds Virus capturing login info via keylogger C&C in the Netherlands
![Page 9: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/9.jpg)
Background
What to tell your boss/employees/family to resolve social media attacks? Block Facebook,Twitter,LinkedIn?
![Page 10: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/10.jpg)
Background
Social Media – 2014 is here, lets get with the times
LinkedIn study [5] 1,000 Small to Medium businesses interviewed ($1mil to
$50mil) Asked questions on impact of social media to their business
Results: 81% use social media to drive growth 9% are looking into using it in the near future 94% use social media as a social marketing tool 49% for educational purposes
![Page 11: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/11.jpg)
Background
Using social media does open you up to some pretty ridiculous attacks
![Page 12: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/12.jpg)
Background
Focus on Twitter: 2 types of attacks Waterhole, phishing
Mediums Hashtags, DM Direct tweets, retweets External link via link shortener (bitly, goo.gl)
Best way to do it? Assumption: Vladimir the Russian Cyber Criminal automates his Twitter
bots via an app Assumption: Vladimir keeps it sexy.. he uses sexy girls and guys that post
racy tweets to get people to connect to his website that dishes out the latest Java exploit kit
![Page 13: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/13.jpg)
Background
![Page 14: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/14.jpg)
Background
![Page 15: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/15.jpg)
Background
Sex sells! 0 followers Automated tweets targeting:
#sex #porn etc Bit.ly links
Some stats.. 51k clicks as of 2 April 1.2m clicks total to website Smokinbabe56.vielo.com
![Page 16: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/16.jpg)
Background
Project ‘Flock’ Get users to flock to our own webserver Use sexy profiles, link shorteners and bots to distribute our URL Mask the hashtag attacks by tweeting at random intervals throughout the day
Once they connect Record geolocation, machine details Redirect to Twitter
Campaigns Issue command to bot head via IRC C&C with a URL to shorten to start a series of
tweets Pull top N trends, hashtag them with shortened link
Results Identify most successful profiles, tweets, links Help defend against them
![Page 17: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/17.jpg)
Prepping Twitter – Don’t get banned!
Twitter ToS – ‘Following rules and best practices’: We do not monitor the amount of people that follow
you We do monitor how aggressively users follow other
users ‘Aggressive Following’
Tweets Follow a human schedule Build a rapport with Twitter – randomize!
Legitimacy Profile picture Email address
![Page 18: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/18.jpg)
Build Twitter Profile - < min
![Page 19: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/19.jpg)
Build your botnet– non-attribution
![Page 20: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/20.jpg)
![Page 21: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/21.jpg)
Twitter falloff
It turns out people only like shiny new things We need more than one tweet
![Page 22: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/22.jpg)
Collecting Data
Wouldn’t it be nice to use google analytics? Well Yes… but that’d be bad
Why not open source? Piwik Easily extensible, already does detection of frameworks
Make sure to get GeoIP pack
![Page 23: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/23.jpg)
Infrastructure
Dell Poweredge 9200 Proper firewall, clean Apache 2.4.9, mod_security
How do you secure a malicious page Look at examples?
Leaked Zeus source… not well KISS – keep it simple stupid
It crashed, the problem with traveling… AWS… put it in the cloud man
![Page 24: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/24.jpg)
What’s Our website?
$( document ).ready(function() {
$("#check").load(function() {
window.location.href = “<?php echo $_GET[‘redirect’] ?>";
});});
<img id=“check" src="http://ec2-54-81-73-176.compute-1.amazonaws.com/piwik/piwik.php?idsite=2&rec=1" style="border:0" alt="" />
![Page 25: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/25.jpg)
Lets take a look at Piwik
![Page 26: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/26.jpg)
Results
Who clicks on links?
Browser distribution Twitter has a rather smart browser base
Not to many IE 6’s in there
We can to some extent detect many crawlers of Twitter based on their hosting provider…. Who uses ec2 to browse?
![Page 27: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/27.jpg)
So its phishing….
How effective was our phishing… eh… Compared to a Nigerian prince… better It is fairly anonymous and hard for victims to identify
But what about more direct phishing The social network equivalent of spear phishing Hashtag hijacks DM Targeted hashtags:
#Mcafee #secchat #Thevoice #yourcompanyhere
![Page 28: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/28.jpg)
Next steps
Facebook Just steal a video from reddit 47 visits in an hour
MORE BOTS! Hundreds under one app Multiple apps
Be more clever-er Automation of flock for specific campaigns Targeted, spray and pray
![Page 29: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/29.jpg)
Early Facebook Thoughts
It seems that many more people will access links from Facebook via phones
Its easy to coerce Facebook’s preview page. It will always grab the first image It will always take the title It does not evaluate JavaScript (fortunately)
It seems on Facebook that everyone will watch videos of girls Or maybe my friends just roll that way
![Page 30: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/30.jpg)
More next steps
Add more Twitter followers
Cross advertise Advertise between Facebook, G+, Linkedin, twitter See how big we can build it
Try and discern metrics beyond just regional and effectiveness
![Page 31: Bsides Sanders/Allen](https://reader035.fdocuments.net/reader035/viewer/2022062405/554f4713b4c905423f8b49dd/html5/thumbnails/31.jpg)
Contact
Zack @teachemtechy www.zerofox.com www.github.com/zmallen
Chaim www.chaimsanders.com