All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1
Conference All your contacts are belong to us : automated identity theft attacks on social networks,Bilge, Leyla;Strufe, Thorsten;Balzarotti, Davide;Kirda, Engin, 18th International World Wide Web Conference, April 20-24, Madrid, Spain (WWW'09) 2
Outline Introduction iCloner overview Cloning attacks Evaluation Suggestions for improvements in social network site security Conclusion 3
Introduction (cont.) Social network sites have been increasingly gaining popularity. Business relationship XING (5 million registered users,2008) LinkedIn (80 million registered users,2010) Friend relationship Facebook ( 0.5 billion registered users,2010) StudiVZ (16 million registered users,2010) MeinVZ As the Interest for a new technology grows on the Internet, miscreants are attracted as well. Social network (steal personal info.) 4
This paper do …. This paper investigate how easy it would be for a potential attacker to launch this type of impersonation attacks in an automated fashion against a number of popular social networking sites in order to gain access to a large volume of personal user information. 5
iCloner First Attack : It clone an already existing profile in a social network and send friend requests to the contacts of the victim. Second Attack : It is effective and feasible to launch an automated, cross-site profile cloning attack. 6
Contributions It is feasible in to launch automated attacks against five popular social networking sites. Profile cloning, cross-site profile cloning. There is significant room for improvement to make these CAPTCHAs more difficult to break. That most social network users are not cautious when accepting friend requests or clicking on links that are sent to them. It makes suggestions on how social networking sites can improve their security, and therefore, better protect the privacy of their users. 7
An architectural overview of iCloner 8
CAPTCHAs CAPTCHA algorithm is the ability to generate tests that are at the same time easily solvable by humans, but very hard to solve for a computer application. ImageMagick(Image filter) + Tesseract (OCR) 9
Breaking ….. MeinVZ and StudiVZ Replace the background with white pixels Isolate the letters (if overlapping,ask new CAPTCHA) Scale all letters to same size Tesseract It can solve the CAPTCHA with 99.8% in one of the three consecutive attempts. 10
Breaking … Facebook (reCAPTCHA) Unbend the word back to the original shape Translate pixel column up or down becomes a straight line Similar to MeinVZ and StudiVZ steps Compared with English dictionary,or submit the word to Google. Success rate between 4% and 7% Botnets and IPs 11
Cloning attacks Profile cloning Cross-site profile cloning 12
Profile cloning Promise : profile cloning attack is that social networking users are generally not cautious when accepting friend requests. Many users will not get suspicious if a friend request comes from someone they know, even if this person is already on their contact list. The profile cloning attack consists of identifying a victim and creating a new account with his real name and photograph inside the same social network. Once the cloned account has been created, our system can automatically contact the friends of the victim and send friend requests. Friend requests + Social engineering 13
Cross-site Profile Cloning Aim : Identify victims who are registered in one social network, but not in another. Retrieve as much information as possible form victim original social network account. Identify the friends of the victim in the original network and check which of them are registered in the target network. 14 FieldScore Education2 Company2 City & Country 1
15
Evaluation Crawling Experiments Experiments (Profile Cloning) Experiments(Cross-site profile cloning) 16
Crawling Experiments StudiVZ and MeinVZ profiles/day 5 million public user profiles with contact information and more than 1.2 million profiles with complete user information Xing 118,000 profiles 17
Experiments (Profile Cloning) 1.Wanted to test how willing users would be to accept friendship requests from forged profiles of people who were already on their friendship lists.(in Facebook ) Using iCloner, it duplicated 5 user profiles (same name, arbitrary birth date, same picture, D1,…,D5) iClone sent requests to all contact for each victim.( 705 users in total) 18
Experiments (Profile Cloning) 2.How effective profile cloning is with respect to requests that the contacted users might receive from people that they do not know These profiles consisted of random names and pictures of arbitrary people.(F1,…,F5) We contacted the same users from these accounts as with the respective forged profiles. 19
Experiments (Profile Cloning) 3How much trust users would have in messages that they would receive from their new contacts. 20
Experiments (Profile Cloning) 21
Experiments (Profile Cloning) 22
Experiments(Cross-site profile cloning) A profile taken from a social network is cloned to another social network. XING 30,000 profiles,and found 3,700 also registered in LinkedIn.(12%) It clone 5 XING account into LinkedIn and iCloner identified 78 out of 443 XING (17.6%)friend contacts were also registered on LinkedIn In 2008, XING have 5 million registers. This attack Upper bound to 600,
Experiments(Cross-site profile cloning) Of the 78 contact requests that we sent to the users in LinkedIn, 56%, in total 44, were accepted. 24
Suggestions for improvements in social network site security Overlapping the CAPTCHAs symbol Rate limit behavior-based anomaly detection 25
Conclusion How easy it would be for a potential attacker to launch automate crawling and identity theft attacks against five popular social network sites. This paper present two identity automated theft attacks Social networking sites are useful, we believe it is important to raise awareness among users about the privacy and security risks that are involved. 26