Leyla Bilge
ABSTRACT
Social networking sites have been increasingly gaining popularity. Well-known sites such as Facebook have been reporting growth rates as high as 3% per week. Many social networking sites have millions of registered users who use these sites to share photographs, contact long-lost friends, establish new business contacts and to keep in touch. In this paper, we investigate how easy it would be for a potential attacker to launch automated crawling and identity theft attacks against a number of popular social networking sites in order to gain access to a large volume of personal user information. The first attack we present is the automated identity theft of existing user profiles and sending of friend requests to the contacts of the cloned victim. The hope, from the attacker's point of view, is that the contacted users simply trust and accept the friend request. By establishing a friendship relationship with the contacts of a victim, the attacker is able to access the sensitive personal information provided by them. In the second, more advanced attack we present, we show that it is effective and feasible to launch an automated, cross-site profile cloning attack. In this attack, we are able to automatically create a forged profile in a network where the victim is not registered yet and contact the victim's friends who are registered on both networks. Our experimental results with real users show that the automated attacks we present are effective and feasible in practice.
- Modeling and Preventing Phishing Attacks. http://www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf, 2005.Google Scholar
- Spear phishing: Highly targeted phishing scams. http://www.microsoft.com/protect/yourself/phishing/spear.mspx, 2006.Google Scholar
- CERT Advisory CA-2000-04 Love Letter Worm. http://www.cert.org/advisories/CA-2000-04.html, 2008.Google Scholar
- Facebook. http://www.facebook.com, 2008.Google Scholar
- Facebook by the Numbers. http://www.fastcompany.com/magazine/115/open_features-hacker-dropout-ceo-facebook-numbers.html, 2008.Google Scholar
- LinkedIn. http://www.linkedin.com, 2008.Google Scholar
- MeinVerzeichnis -- MeinVZ. http://www.meinvz.net/,2008.Google Scholar
- MySpace. http://www.myspace.com, 2008.Google Scholar
- New MySpace and Facebook Worm Target Social Networks. http://www.darknet.org.uk/2008/08/new-myspace-and-facebook-worm-target-social-networks, 2008.Google Scholar
- Sophos Facebook ID Probe.http://www.sophos.com/pressoffice/news/articles/2007/08/facebook.html, 2008.Google Scholar
- StudiVerzeichnis -- StudVZ. http://www.studivz.net, 2008.Google Scholar
- The Spamhaus Project. http://www.spamhaus.org/, 2008.Google Scholar
- Xing -- Global Networking for Professionals. http://www.xing.com, 2008.Google Scholar
- S. D. Berkowitz. An Introduction to Structural Analysis: The Network Approach to Social Research. Butterworth, Toronto, ISBN 0409813621, 1982.Google Scholar
- S. Boyd, A. Ghosh, B. Prabhakar, and D. Shah. Gossip algorithms: Design, analysis and applications. In IEEE INFOCOM, 2005.Google ScholarCross Ref
- Carnegie Mellon University. The CAPTCHA Project. http://www.captcha.net.Google Scholar
- J. R. Douceur. The Sybil Attack. In Electronic Proceedings for the 1st International Workshop on Peer-to-Peer Systems (IPTPS '02), March 2002. Google ScholarDigital Library
- A. D. Flaxman. Expansion and lack thereof in randomly perturbed graphs. Manuscript under submission, 2006.Google Scholar
- ImageMagick. Introduction to ImageMagick. http://www.imagemagick.org/script/index.php.Google Scholar
- T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Commun. ACM, 50(10):94--100, 2007. Google ScholarDigital Library
- C. Karlberger, G. Bayler, C. Kruegel, and E. Kirda. Exploiting Redundancy in Natural Language to Penetrate Bayesian Spam Filters. In First USENIX Workshop on Oýensive Technologies (WOOT '07), Boston, MA, August 2007. Google ScholarDigital Library
- kloover.com. Breaking the ASP Security Image Generator. http://www.kloover.com/2008/02/28/breaking-the-asp-security-image-generator/.Google Scholar
- V. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Doklady Physics, 10(8):707--710, 1966.Google Scholar
- S. Mori, C. Y. Suen, and K. Yamamoto. Historical review of OCR research and development. Document image analysis, pages 244--273, 1995. Google ScholarDigital Library
- S. Moyer and N. Hamiel. Satan is on My Friends List: Attacking Social Networks. http://www.blackhat.com/html/bh-usa-08/bh-usa-08-archive.html, 2008.Google Scholar
- PWNtcha. PWNtcha -- captcha decoder. http://sam.zoy.org/pwntcha/.Google Scholar
- Tesseract. Tesseract OCR. http://sourceforge.net/projects/tesseract-ocr.Google Scholar
- L. von Ahn, B. Maurer, C. McMillen, D. Abraham, and M. Blum. reCAPTCHA: Human-Based Character Recognition via Web Security Measures. Science, September 2008.Google Scholar
- H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman. SybilGuard: Defending Against Sybil Attacks via Social Networks. 2006.Google Scholar
- H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman. SybilLimit: A Near-Optimal Social Network Defense against Sybil Attacks. In IEEE Symposium on Security and Privacy, 2008. Google ScholarDigital Library
Index Terms
- All your contacts are belong to us: automated identity theft attacks on social networks
Recommendations
All your face are belong to us: breaking Facebook's social authentication
ACSAC '12: Proceedings of the 28th Annual Computer Security Applications ConferenceTwo-factor authentication is widely used by high-value services to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication, which ...
Analysis of a social engineering threat to information security exacerbated by vulnerabilities exposed through the inherent nature of social networking websites
InfoSecCD '09: 2009 Information Security Curriculum Development ConferenceSocial engineering is defined as "a process in which an attacker attempts to acquire information about your network and system by social means." Social networking websites are those where one person creates a message and presents it to an audience, ...
Enhancing and identifying cloning attacks in online social networks
ICUIMC '13: Proceedings of the 7th International Conference on Ubiquitous Information Management and CommunicationRecently Online Social Networks (OSNs) are enjoying a continuous boom, while suffering from omnifarious malicious attacks. Cloning attack is one of the attack patterns towards online social networks, where typically the attacker disguises fake accounts ...
Comments