A vast majority of research focuses on
automated and/or botnet exploits, which makes sense when considering the
number of victims affected. However, a research team from Google and
the University of California, San Diego chose a different path, looking
at "manual account hacking." Exploits that are rare -- less than nine
incidents for every one million people who use Google daily. "However,
the damage manual hijackers incur is far more severe and distressing to
users and can result in significant financial loss," the researchers
mention in their paper Handcrafted fraud and extortion: Manual account hijacking in the wild. "These needle-in-a-haystack attacks are very challenging and represent an ongoing threat to internet users.
Types of account hijacking
To start, there are two types of account hijacks: ●
Automated account hijacking: Attacks that try to compromise user
accounts via botnets or spam networks. This attack uses automated tools,
attempting to maximize the attacker's ROI by scamming a small amount of
money from thousands of victims. ● Manual account hijacking: The
bad guys hijack accounts looking for ways to steal money, ransom
applications or data, leverage contact information for future attacks,
or use sensitive personal data against the victim. To explain the
difference between automated exploits and manual attacks, the paper
mentions, "Manual hijackers spend significant non-automated effort on
profiling victims and maximizing the profit -- or damage -- they can
extract from a single credential."
Image: Google
The
graph to the right depicts the relationship between number of accounts
hijacked and the "depth of exploitation." It seems we can be thankful
the more prevalent automated exploits are less exploitative.
Steal email credentials and profile the victim
The
first step is stealing a victim's account login information. The paper
mentions the most sought-after account is email followed by online
financial accounts. For this discussion, the focus will be limited to
email-account hijacking. Once attackers have the login
information, they decide quickly whether the account is worth further
effort. The paper explains, "If the brief account value exploration
yields promising results, the hijackers spend an additional 15 to 20
minutes per account sifting through emails, and finding ways to monetize
the account." The hijackers are hoping to find emails holding
financial or personal data they can use on the current victim or improve
their chances of exploiting the victim's contacts by making the scam
email supposedly from the victim seem more realistic. The
profiling portion of the attack was of special interest to the
researchers. They mention, "This systematic assessment phase and the
fact that certain accounts are not exploited suggest that manual
hijackers are 'professional' and follow a well-established playbook
designed to maximize profits." The researchers offer more evidence that well-organized groups are behind manual account hijacks: ●
The individuals seemed to work according to a tight daily schedule.
They started around the same time every day, and had a synchronized,
one-hour lunch break. They were inactive over the weekends. ● All
individuals followed the same daily time table, defining when to
process the gathered password lists, and how to divide time between
ongoing scams and new victims. ● They were operating from
different IPs, on different victims, and in parallel with each other,
but the tools and utilities they used were the same. They also shared
certain resources such as phone numbers. More validation for experts who contend online-crime syndicates are run with business-like precision.
Exploiting the victim's contacts
Most
individuals, at one time or another, have received an email where
someone is in trouble and needs money. Almost at once the scam is
dismissed because the email -- an automated account hijacking attempt --
makes little sense. However, manual account hijacks are different.
Being non-automated, attackers can inject material to personalizing the
scam email. The research team mentions there is a distinct pattern to most of the scam emails. They all tend to have: ● A story with credible details to limit the victim suspicion. ● Words or phrases that evoke sympathy and aim to persuade. ●
An appearance of limited financial risk for the plea recipient as
financial requests are requests for a loan with concrete promises of
speedy repayment. ● Language that discourages the plea recipient
from trying to verify the story by contacting the victim through another
means of communication, often through claims that the victim's phone
was stolen. ● An untraceable, fast, and hard-to-revoke yet safe-looking money transfer mechanism.
Defense strategies
The
research paper then describes what email providers can do to prevent
manual account hacking. Sadly, there are precious few for-sure user
defenses other than second-factor authentication -- if it is available
use it. Two-factor authentication will thwart the bad guys.
An “ethical hacking enthusiast” from southern India is to receive a $12,500 bounty from Facebook after discovering a vulnerability which allowed him to delete any photo hosted on the social network.
Posting
details of the discovery on his blog this week, Arul Kumar told how the
bug was initially dismissed by the company, prompting him to make a
step-by-step video showing the flaw in detail.
In the video he explained how he “exploited Mark Zuckerberg’s photo from his photo album”.
Kumar held off on actually deleting any
images of the Facebook founder, but on receiving the video evidence the
bug was accepted as fact by Facebook, with Kumar receiving a message
from one of the company’s security team telling him, “I wish all bug
reports had such a video”.
Rewarded With
the vulnerability fixed in recent days, it allowed the 21-year-old to
reveal full details of his work and the $12,500 reward through his blog.
Vice president for security research with Trend Micro, Rik Ferguson, said some industrious ethical hackers may see finding such issues as a solid revenue stream, with other companies such as Microsoft, Google and PayPal offering similar rewards for finding glitches within their sites, services and products.
“And
why not? It’s a lot of effort to find the defects and it’s only right
then that people should be rewarded for those efforts as it’s helping
whoever the defect affects to develop a better end product,” he said.
Ferguson
told The Irish Times that “there was a big movement a few years ago of
‘no more free bugs’ as people were sick of not being rewarded for
finding errors and vulnerabilities, and in response to that a lot of
companies have begun these bounty programs.”
Security blogger and head of technology for the Asia Pacific region with Sophos, Paul Ducklin,
noted that the reason Facebook paid Kumar “top dollar” by bounty
standards (with many bounties starting at $500) was that “it’s not just
deleting a photo, it’s something which could be used for malware”.
Ducklin
noted that in the case of a company such as Microsoft some bounties can
reach up to $100,000, depending on the complexity and importance of the
flaw discovered. Ducklin added that the decision by Kumar to present
his case by video was certainly of help to his case.
Vulnerability “The
bounty amounts vary by how hard it is yes, but also how well you
present your case and by doing it through video it makes it much easier
for them to fix it as they can see what exactly they have to do.”
Kumar’s methods of highlighting the bug were more successful than the recent efforts of Khalil Shreateh,
an IT graduate from Palestine, who had discovered a vulnerability which
allowed someone to post a message on a person’s Facebook timeline, even
if they were not “friends” with that individual.
After
becoming upset when an official Facebook response told him “this is not
a bug”, Shreateh posted a message on Zuckerberg’s personal wall
utilising the vulnerability in question.
However,
as this violated the company’s terms for discovering bounties Shreateh
found he would not be receiving any reward and instead saw his account
temporarily suspended.
The German magazine Der Spiegel says the U.S. National
Security Agency secretly monitored the U.N.’s internal video
conferencing system by decrypting it last year.
The weekly said Sunday that documents it obtained from American
leaker Edward Snowden show the NSA decoded the system at the UN’s
headquarters in New York last summer.
Quoting leaked NSA documents, the article said the decryption
“dramatically increased the data from video phone conferences and the
ability to decode the data traffic.”
AP Photo/The Guardian, FileEdward Snowden, who worked as a contract employee at the U.S. National Security Agency, in Hong Kong.
In three weeks, Der Spiegel said, the NSA increased the number of decrypted communications at the UN from 12 to 458.
Snowden’s leaks have exposed details of the United States’ global
surveillance apparatus, sparking an international debate over the limits
of American spying.
The U.S. government’s efforts to determine which highly classified
materials the leaker took from the National Security Agency have been
frustrated by Snowden’s sophisticated efforts to cover his digital trail
by deleting or bypassing electronic logs, government officials told The
Associated Press. Such logs would have showed what information Snowden
viewed or downloaded.
The government’s forensic investigation is wrestling with Snowden’s
apparent ability to defeat safeguards established to monitor and deter
people looking at information without proper permission, said the
officials, who spoke on condition of anonymity because they weren’t
authorized to discuss the sensitive developments publicly.
The disclosure undermines the Obama administration’s assurances to
Congress and the public that the NSA surveillance programs can’t be
abused because its spying systems are so aggressively monitored and
audited for oversight purposes: If Snowden could defeat the NSA’s own
tripwires and internal burglar alarms, how many other employees or
contractors could do the same?
In July, nearly two months after Snowden’s earliest disclosures, NSA
Director Keith Alexander declined to say whether he had a good idea of
what Snowden had downloaded or how many NSA files Snowden had taken with
him, noting an ongoing criminal investigation.
SAUL LOEB/AFP/Getty ImagesThe
National Security Agency (NSA) headquarters at Fort Meade, Maryland, as
seen from the air, in this January 29, 2010 file photo. The NSA has
said that it destroys all data it isn't supposed to see.
NSA spokeswoman Vanee Vines told the AP that Alexander “had a sense
of what documents and information had been taken,” but “he did not say
the comprehensive investigation had been completed.” Vines would not say
whether Snowden had found a way to view and download the documents he
took without the NSA knowing.
In defending the NSA surveillance programs that Snowden revealed,
Deputy Attorney General James Cole told Congress last month that the
administration effectively monitors the activities of employees using
them.
These decisions are made to make sure that nobody has done the things that you’re concerned about happening
“This program goes under careful audit,” Cole said. “Everything that
is done under it is documented and reviewed before the decision is made
and reviewed again after these decisions are made to make sure that
nobody has done the things that you’re concerned about happening.”
The disclosure of Snowden’s hacking prowess inside the NSA also could
dramatically increase the perceived value of his knowledge to foreign
governments, which would presumably be eager to learn any
counter-detection techniques that could be exploited against U.S.
government networks.
It also helps explain the recent seizure in Britain of digital files belonging to David Miranda – the partner of Guardian journalist Glenn Greenwald – in an effort to help quantify Snowden’s leak of classified material to the Guardian
newspaper. Authorities there stopped Miranda last weekend as he changed
planes at Heathrow Airport while returning home to Brazil from Germany,
where Miranda had met with Laura Poitras, a U.S. filmmaker who has
worked with Greenwald on the NSA story.
Marcelo Piu/AFP/Getty ImagesDavid
Miranda (left), the Brazilian partner of Glenn Greenwald, a U.S.
journalist with Britain's Guardian newspaper who worked with
intelligence leaker Edward Snowden to expose US mass surveillance
programmes, is pictured at Rio de Janeiro's Tom Jobim international
airport upon his arrival on August 19, 2013. British authorities faced a
furore after they held Miranda for almost nine hours under anti-terror
laws as he passed through London's Heathrow Airport on his way home to
Rio de Janeiro from Berlin.
Snowden, a former U.S. intelligence contractor, was employed by Booz
Allen Hamilton in Hawaii before leaking classified documents to the Guardian and The Washington Post.
As a system administrator, Snowden had the ability to move around data
and had access to thumb drives that would have allowed him to transfer
information to computers outside the NSA’s secure system, Alexander has
said.
In his job, Snowden purloined many files, including ones that
detailed the U.S. government’s programs to collect the metadata of phone
calls of U.S. citizens and copy Internet traffic as it enters and
leaves the U.S., then routes it to the NSA for analysis.
Officials have said Snowden had access to many documents but didn’t
know necessarily how the programs functioned. He dipped into
compartmentalized files as systems administrator and took what he
wanted. He managed to do so for months without getting caught. In May,
he flew to Hong Kong and eventually made his way to Russia, where that
government has granted him asylum.
NBC News reported Thursday that the NSA was “overwhelmed” in trying
to figure what Snowden had stolen and didn’t know everything he had
downloaded.
Insider threats have troubled the administration and Congress,
particularly in the wake of Bradley Manning, a young soldier who decided
to leak hundreds of thousands of sensitive documents in late 2009 and
early 2010.
Congress had wanted to address the insider threat problem in the 2010
Intelligence Authorization Act, but the White House asked for the
language to be removed because of concerns about successfully meeting a
deadline. In the 2013 version, Congress included language urging the
creation of an automated, insider-threat detection program.
A man who hacked into Mark Zuckerberg's Facebook page to expose a
software bug is getting donations from hackers around the world after
the company declined to pay him under a programme that normally rewards
people who report flaws.
Khalil Shreateh discovered and reported
the flaw but was initially dismissed by the company's security team. He
then posted a message on the billionaire's wall to prove the bug's
existence.
Now, Marc Maiffret, chief technology officer of
cybersecurity firm BeyondTrust, is trying to mobilize fellow hackers to
raise a $10,000 reward for Shreateh after Facebook refused to compensate
him.
Maiffret, a high school dropout and self-taught hacker,
said on Tuesday he has raised about $9,000 so far, including the $2,000
he initially contributed.
He and other hackers say Facebook
unfairly denied Shreateh, a Palestinian, a payment under its "Bug
Bounty" program. It doles out at least $500 to individuals who bring
software bugs to the company's attention.
"He is sitting there in
Palestine doing this research on a five-year-old laptop that looks like
it is half broken," Maiffret said. "It's something that might help him
out in a big way."
Shreateh uncovered the flaw on the company's
website that allows members to post messages on the wall of any other
user, including Zuckerberg's. He tried to submit the bug for review but
the website's security team did not accept his report.
He then
posted a message to Zuckerberg himself on the chief executive officer's
private account, saying he was having trouble getting his team's
attention.
"Sorry for breaking your privacy," Shreateh said in the post.
The
bug was quickly fixed and Facebook issued an apology on Monday for
having been "too hasty and dismissive" with Shreateh's report. But it
has not paid him a bounty.
"We will not change our practice of
refusing to pay rewards to researchers who have tested vulnerabilities
against real users," Chief Security Officer Joe Sullivan said in a
blogpost.
He said Facebook has paid out more than $1 million under that program to researchers who followed its rules.
If you are a security researcher, please
review our responsible disclosure policy before reporting any
vulnerabilities. If you are not a security researcher, visit the Facebook Security Page for assistance.
If you believe you have found a security vulnerability on Facebook, we
encourage you to let us know right away. We will investigate all
legitimate reports and do our best to quickly fix the problem.
Responsible Disclosure Policy
If you give us a reasonable time to respond to your report before
making any information public and make a good faith effort to avoid
privacy violations, destruction of data and interruption or degradation
of our service during your research, we will not bring any lawsuit
against you or ask law enforcement to investigate you.
Bug Bounty Info To show our appreciation for our security researchers, we offer a
monetary bounty for certain qualifying security bugs. Here is how it
works:
Eligibility
To qualify for a bounty, you must:
Adhere to our Responsible Disclosure Policy (above)
Be the first person to responsibly disclose the bug
Report a bug that could compromise the integrity of Facebook user data,
circumvent the privacy protections of Facebook user data, or enable
access to a system within the Facebook infrastructure, such as:
Circumvention of our Platform/Privacy permission models
Remote Code Execution
Privilege Escalation
Provisioning Errors
Please use a test account
instead of a real account when investigating bugs. When you are unable
to reproduce a bug with a test account, it is acceptable to use a real
account, except for automated testing. Do not interact with other accounts without the consent of their owners.
Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Our security team will assess each bug to determine if it qualifies.
Rewards
Our minimum reward is $500 USD
There is no maximum reward: each bug is awarded a bounty based on its severity and creativity
Only 1 bounty per security bug will be awarded
Exclusions
The following bugs are not eligible for a bounty (and we do not recommend testing for these):
Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
Security bugs in third-party websites that integrate with Facebook
Denial of Service Vulnerabilities
Spam or Social Engineering techniques
Acquisitions have a 3 month delay before we accept submissions.
The report states that the social network has been quietly
working on a service, internally called Reader, that displays content
from Facebook users and publishers in a new visual format tailored for
mobile devices, people with knowledge of the matter said.
It is not clear when Facebook when launch the service or whether
there will be a desktop version of the service. For now, it seems to be
geared toward smartphones and tablets.
Previously TechCrunchhad
reported that Facebook was working on such a service and that it would
be launched during its 20 June event. However, Facebook launched the
Videos for Instagram feature.
Facebook CEO Mark Zuckerberg in this file photo. AP
TechCrunch had reported that lines of code referring to rssfeeds
were spotted inFacebook’s Graph API code. Linking the RSS feed to a
user’s Facebook ID, the code schema also covers such aspects as title,
URL and update time. Each RSS feed subsequently has entries and
subscribers.
If Facebook does launch an app for news aggregation, it could make a
lot of sense in terms of monetisation for the site. For publishers, the
app could provide a new platform for them to highlight their content
from their FB pages without worrying that their content will be lost in
the often-never-ending NewsFeed.
But the competition won’t be easy for Facebook. Flipboard, Zite,
Pulse and Google Currents are among the endless competitors awaiting it.
The fact that the app is currently only for mobile also highlights
the direction Facebook is headed in. Zuckerberg has already said that
Facebook is now a mobile company and while some of its mobile products
such as Facebook Home on Android may not have received the best reviews,
mobile is the company’s best bet for increasing revenues.
Microsoft discovered malware aimed at obtaining Facebook users’ login information and taking over their accounts, and the new malware strain, Trojan:JS/Febipos.A, has been delivered in the form of extensions for Google Chrome and add-ons for Firefox. The only good news is that it appears to have been discovered only in Brazil thus far. The Next Web reported that Internet Explorer and Safari appear to be immune from Trojan:JS/Febipos.A thus far.
According to The Next Web, the browser extensions or add-ons
determine if users are logged in to Facebook and attempt to download
configuration files that include lists of commands, enabling them to
perform activities such as liking pages, sharing content, posting on other users’ Timelines, commenting on posts, joining groups and inviting friends to do so, and chatting with friends.
Microsoft concluded, as reported by The Next Web:
There may be more to this threat because
it can change its messages, URLs, Facebook pages, and other activity at
any time. In any case, we recommend you always keep your security
products updated with the latest definitions to help avoid infection.
In other words, while the threat seems to
be currently focused on targeting Facebook users in Brazil (its
messages are all written in Brazilian Portuguese), it’s easy to see how
the threat could be modified to target more users. The fact that it uses
a configuration file shows that the criminals specifically designed it
to be modular.
Readers: Have you ever fallen victim to malware on Facebook?
An “ethical hacking enthusiast” from southern India is to receive a $12,500 bounty from Facebook after discovering a vulnerability which allowed him to delete any photo hosted on the social network. 
Posts
