250 likes | 406 Vues
All Your Contacts belong to us: Automated Identity theft on Social Networks. Authors: Leyla Bilge Thorsten Strufe Davide Balzarotti Enging Kirda Rilinda LAMLLARI IMSE - 729. Social networks - SNs. Social structure made up of nodes .
 
                
                E N D
All Your Contacts belong to us: Automated Identity theft on Social Networks Authors: Leyla BilgeThorsten StrufeDavideBalzarottiEngingKirda Rilinda LAMLLARI IMSE - 729
Social networks - SNs • Social structure made up of nodes. • Different nature of relationship between the nodes (friendship, ideas, visions, business relationships etc.) • Friendship-focused: Facebook, MySpace, StudiVZ, MeinVZ etc. • Business-focused: LinkedIn, XING etc. • Popularity -> capture attacker’s attention
Attacks in Social Networks • Apply old ideas to the new technology (email attachments using address book). • Worms in SN replicate themselves through victim’s friends list. • Lack of scanning makes it easier for an attacker to send malicious apps and URLs to victims.
Why are SN attractive target? • Sensitive information of registered users • Using attacks in SN: 1)have access to e-mails that belong to real people 2)have information about the people using these addresses • Spear phishing – targeted social engineering attacks • Lower chances to be caught by spam filters
Authors investigate two types of attacks: • Automated crawling and identity theft of existing user profiles • Cross-site profiling attack
Main focus • Show that it is feasible to lunch automated attacks against 5 SNs • Room for improvement for CAPTCHA • Show that it is feasible in practice • Suggestions on how SNs can improve security
iCloner (2) • Crawler – able to crawl StudiVZ, MeinVZ, Facebook and XING. Collect information on public users and users lists • Identity matcher Tries to identify profiles in different SNs that correspond to the same person
iCloner (3) • Profile creator Uses the info produced by Identity Matcher • Message Sender login and send friend requests • CAPTCHA analyzer designed techniques to breaks CAPTHAs with a success rate
Breaking CAPTCHAs • Completely Automated Public Turing test to tell Computers and Humans Apart • Recognize text in presence of a noise The techniques: Open source tools (ImageMagick) + Custom developed scripts
FacebookvsMeinVZ and StudiVZ • Two-words vs fixed length single word • FacebookreCAPTCHA contains meaningful words
1st attack: Profile cloning • Clone an already existing profile • Send friend requests to the contacts of the victim • Access sensitive information of the contacts
2nd attack: Cross-site profile cloning • Automatically identify users who are registered in one SN, but are not in another social network • Forge the profile in the one where he/she is not registered • SNs of the same nature (XING and LinkedIn)
How to identify users on two different SNs? • Based on name -> too many search results • Educational background : 2 points • Identical companies they are working for: 2 • City and country:1 point • Total points >=3
How to determine if info entered is the same? e.g. TU Wien  Vienna University of Technology
Evaluation • Large scale attacks on a large number of real users => legal consequences • Started with crawler on two SN • Profile cloning attacks (more than 700 users) • Launched cross-site profile cloning
Crawling experiments StudiVZ and MeinVZ • Each crawler instance requested and parsed 6000 web pages/day • Collect information of 40.000 profiles/day • Stopped: 5 million of public user profiles 1.2 million profiles with complete information
Crawling experiments - XING • No CAPTCHA protection, but more efficient in disabling suspicious accounts • Crawled 2000 profiles/ account created • Total of 118,000 profiles
Profile Cloning • D1..D5 duplicated profiles • 705 users were contacted after sending them requests • For each forged profile -> one fictitious profile (random names and pics)
Possible to launch large scale attacks 45% of the links clicked during first 20 hours
Cross-site profile cloning • A profile P in source N1 is chosen to be cloned in P2, if: • He doesn’t have a profile in N2 • Reasonable number of P’s contacts have profiles in the target social network N2 N1 – XING N2 – LinkedIn They crawled 30,000 profiles, 12% were also in LinkedIn Out of 78 contact requests – 56% were accepted
Suggestions for improvements in Social Network site security • User is the weakest link in SNs • Provide more information on the authenticity of the request (IP, profile creation date) • Make CAPTCHAs more difficult to break (symbols overlapping ) • Rate limit of number of CAPTCHA displayed to a user with a threshold of few images / minute
Related Work • Previous cloning attacks – manually done. This is the first automated clone attack.
Conclusion • Authors show how feasible it is in real world for potential attackers to launch automated cloning attacks. • The trust relationship is high in social networks. • Need to increase the awareness in order to preserve users’ privacy.