Social Network Engineering

Social networks such as Myspace, LinkedIn, Facebook, Bebo, Xing and all the others are BIG business at the moment, all of them trying to be 'the one' that everyone must be seen on.

So, it isn't that surprising that the Bag Guys and Girls have started to take an interest in them, is it?

However, it isn't just Social Networking sites that they are interested in, they are also interested in Virtual Worlds and On-line Games, such as SecondLife and World of Warcraft, amongst others.

This post will cover some of the things the Bad Guys and Girls have so far tried in these areas, many of which may surprise users of these online communities, be they social networks, virtual worlds or on-line games.

Hand up all of you out there that use Facebook? Many, if not most of you, then do use it....not that surprising, so for you Facebook users out there, you need to be aware of something I've been expecting for some time on this network, malicious applications (Facebook applications or plugins).

This new application uses social engineering, in this case it uses the same techniques that proved to be so successful for the ILOVEYOU e-mail worm, these being curiosity and sex!
When installed Secret Crush [Created by Secret Crush] will request that you invite five friends before you can see who has a secret crush on you. Needless to say, this is a form or viral marketing, and even if you comply and effectively infect five of your friends [who may shortly no longer be your friends], you still won't be shown who your secret crush is, because there was no secret crush, it was all a ploy to get you to install it.

You are directed to a Zango [previously known as 180Solutions] website to install Crush Calculator which is a piece of Spyware! This means that Secret Crush is actaully a Facebook Trojan Horse which uses social engineering.




If you think that this is a new phenomenon in social networking sites then you'd be mistaken. Myspace has had a number of malware adventures over the last year or so, with the Sami Worm probably being the most successful.

SecondLife has also seen malicious virtual objects inserted into it, these when interacted with by users, begin to replicate, impacting the performance of the system.

Instead of writing lots of fluff about these I'll just supply a number of links so that you can get more information about these threats, when you have some time to spare.

Links:

Facebook:

• Nice write-up by Guillaume Lovet on the Secret Crush application http://www.fortiguardcenter.com/advisory/FGA-2007-16.html

Myspace:

• http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html


• http://www.computerworld.com/securitytopics/security/holes/story/0,10801,105484,00.html


• http://www.f-secure.com/v-descs/js_quickspace_a.shtml


• http://www.f-secure.com/weblog/archives/00000930.html

SecondLife:

• http://www.technewsworld.com/story/viruses-malware/54384.html


• http://anti-virus-rants.blogspot.com/2006/10/second-lifes-grey-goo.html


• IBM's own Morton Swimmer also wrote a paper on the attacks that SecondLife has seen so far: http://www.virusbtn.com/conference/vb2007/abstracts/SwimmerHusemann.xml

World of Warcraft:

• http://www.f-secure.com/v-descs/wow.shtml


• http://www.theregister.co.uk/2006/05/08/wowcraft/


• http://www.theregister.co.uk/2007/09/11/online_games_hacking_trends/

The bottom line is that for the Bad Guys and Girls, this is not about being social, nor is this a game to them as they do not care if the systems or people they socially engineer to infect their avatars or their computer are in the real world or a virtual one, it is all about stealing information, property and making money [or friends], not virtual money but real hard cold currency....

Will 2008 become the year of the Social Network Engineer?