Presentation is loading. Please wait.

Presentation is loading. Please wait.

All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.

Published byRoberta Warren Modified over 9 years ago

Similar presentations

Presentation on theme: "All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1."— Presentation transcript:

1 All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1

2 Conference All your contacts are belong to us : automated identity theft attacks on social networks,Bilge, Leyla;Strufe, Thorsten;Balzarotti, Davide;Kirda, Engin, 18th International World Wide Web Conference, April 20-24, Madrid, Spain (WWW'09) 2

3 Outline  Introduction  iCloner overview  Cloning attacks  Evaluation  Suggestions for improvements in social network site security  Conclusion 3

4 Introduction (cont.)  Social network sites have been increasingly gaining popularity.  Business relationship  XING (5 million registered users,2008)  LinkedIn (80 million registered users,2010)  Friend relationship  Facebook ( 0.5 billion registered users,2010)  StudiVZ (16 million registered users,2010)  MeinVZ  As the Interest for a new technology grows on the Internet, miscreants are attracted as well.  E-mail  Social network (steal personal info.) 4

5 This paper do ….  This paper investigate how easy it would be for a potential attacker to launch this type of impersonation attacks in an automated fashion against a number of popular social networking sites in order to gain access to a large volume of personal user information. 5

6 iCloner  First Attack :  It clone an already existing profile in a social network and send friend requests to the contacts of the victim.  Second Attack :  It is effective and feasible to launch an automated, cross-site profile cloning attack. 6

7 Contributions  It is feasible in to launch automated attacks against five popular social networking sites.  Profile cloning, cross-site profile cloning.  There is significant room for improvement to make these CAPTCHAs more difficult to break.  That most social network users are not cautious when accepting friend requests or clicking on links that are sent to them.  It makes suggestions on how social networking sites can improve their security, and therefore, better protect the privacy of their users. 7

8 An architectural overview of iCloner 8

9 CAPTCHAs  CAPTCHA algorithm is the ability to generate tests that are at the same time easily solvable by humans, but very hard to solve for a computer application.  ImageMagick(Image filter) + Tesseract (OCR) 9

10 Breaking …..  MeinVZ and StudiVZ  Replace the background with white pixels  Isolate the letters (if overlapping,ask new CAPTCHA)  Scale all letters to same size  Tesseract  It can solve the CAPTCHA with 99.8% in one of the three consecutive attempts. 10

11 Breaking …  Facebook (reCAPTCHA)  Unbend the word back to the original shape  Translate pixel column up or down becomes a straight line  Similar to MeinVZ and StudiVZ steps  Compared with English dictionary,or submit the word to Google.  Success rate between 4% and 7%  Botnets and IPs 11

12 Cloning attacks  Profile cloning  Cross-site profile cloning 12

13 Profile cloning  Promise :  profile cloning attack is that social networking users are generally not cautious when accepting friend requests.  Many users will not get suspicious if a friend request comes from someone they know, even if this person is already on their contact list.  The profile cloning attack consists of identifying a victim and creating a new account with his real name and photograph inside the same social network.  Once the cloned account has been created, our system can automatically contact the friends of the victim and send friend requests.  Friend requests + Social engineering 13

14 Cross-site Profile Cloning  Aim :  Identify victims who are registered in one social network, but not in another.  Retrieve as much information as possible form victim original social network account.  Identify the friends of the victim in the original network and check which of them are registered in the target network. 14 FieldScore Education2 Company2 City & Country 1

15 15

16 Evaluation  Crawling Experiments  Experiments (Profile Cloning)  Experiments(Cross-site profile cloning) 16

17 Crawling Experiments  StudiVZ and MeinVZ  40.000 profiles/day  5 million public user profiles with contact information and more than 1.2 million profiles with complete user information  Xing  118,000 profiles 17

18 Experiments (Profile Cloning)  1.Wanted to test how willing users would be to accept friendship requests from forged profiles of people who were already on their friendship lists.(in Facebook )  Using iCloner, it duplicated 5 user profiles (same name, arbitrary birth date, same picture, D1,…,D5)  iClone sent requests to all contact for each victim.( 705 users in total) 18

19 Experiments (Profile Cloning)  2.How effective profile cloning is with respect to requests that the contacted users might receive from people that they do not know  These profiles consisted of random names and pictures of arbitrary people.(F1,…,F5)  We contacted the same users from these accounts as with the respective forged profiles. 19

20 Experiments (Profile Cloning)  3How much trust users would have in messages that they would receive from their new contacts. 20

21 Experiments (Profile Cloning) 21

22 Experiments (Profile Cloning) 22

23 Experiments(Cross-site profile cloning)  A profile taken from a social network is cloned to another social network.  XING 30,000 profiles,and found 3,700 also registered in LinkedIn.(12%)  It clone 5 XING account into LinkedIn and iCloner identified 78 out of 443 XING (17.6%)friend contacts were also registered on LinkedIn  In 2008, XING have 5 million registers. This attack Upper bound to 600,000. 23

24 Experiments(Cross-site profile cloning) Of the 78 contact requests that we sent to the users in LinkedIn, 56%, in total 44, were accepted. 24

25 Suggestions for improvements in social network site security  Overlapping the CAPTCHAs symbol  Rate limit  behavior-based anomaly detection 25

26 Conclusion  How easy it would be for a potential attacker to launch automate crawling and identity theft attacks against five popular social network sites.  This paper present two identity automated theft attacks  Social networking sites are useful, we believe it is important to raise awareness among users about the privacy and security risks that are involved. 26

Download ppt "All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1."

Similar presentations

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
Breaking Trust On The Internet

Breaking Trust On The Internet
Recommendations on the future of online GyroScope & Databse implementation.

Recommendations on the future of online GyroScope & Databse implementation.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Privacy Wizards for Social Networking Sites Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/01/17 1.

Privacy Wizards for Social Networking Sites Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/01/17 1.
Social Media Networking Sites Charlotte Jenkins Designing the Social Web 06-10-2011.

Social Media Networking Sites Charlotte Jenkins Designing the Social Web
2011/1/3 1 Reporter: Chun-Chih Wu Adviser: Hsing-Kuo Pao Author: Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, and.

2011/1/3 1 Reporter: Chun-Chih Wu Adviser: Hsing-Kuo Pao Author: Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, and.
Outline of presentation Brief introduction of Facebook as a social networking tool Research questions Methods Findings and Results Some Experimentation.

Outline of presentation Brief introduction of Facebook as a social networking tool Research questions Methods Findings and Results Some Experimentation.
Miscreant of Social Networks Paper1: Social Honeypots, Making Friends With A Spammer Near You Paper2: Social phishing Kai and Isaac.

Miscreant of Social Networks Paper1: Social Honeypots, Making Friends With A Spammer Near You Paper2: Social phishing Kai and Isaac.
How To Protect Your Privacy and Avoid Identity Theft Online.

How To Protect Your Privacy and Avoid Identity Theft Online.
Zifei Shan, Haowen Cao, Jason Lv, Cong Yan, Annie Liu Peking University, China 1.

Zifei Shan, Haowen Cao, Jason Lv, Cong Yan, Annie Liu Peking University, China 1.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Detecting Spammers on Social Networks Gianluca Stringhini, Christopher Kruegel, Giovanni Vigna (University of California) Annual Computer Security Applications.

Detecting Spammers on Social Networks Gianluca Stringhini, Christopher Kruegel, Giovanni Vigna (University of California) Annual Computer Security Applications.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
© 2009 SCHOOL FAMILY MEDIA Keeping Your Child Safe on the Internet © 2009 SCHOOL FAMILY MEDIA.

© 2009 SCHOOL FAMILY MEDIA Keeping Your Child Safe on the Internet © 2009 SCHOOL FAMILY MEDIA.
REVENUE MANAGEMENT GUIDE © Marin Management, Inc. 1 Online Networking Guide, 1560 Facebook ® A. Introduction to Facebook ® Facebook Facebook ® is a very.

REVENUE MANAGEMENT GUIDE © Marin Management, Inc. 1 Online Networking Guide, 1560 Facebook ® A. Introduction to Facebook ® Facebook Facebook ® is a very.
Authors: Gianluca Stringhini Christopher Kruegel Giovanni Vigna University of California, Santa Barbara Presenter: Justin Rhodes.

Authors: Gianluca Stringhini Christopher Kruegel Giovanni Vigna University of California, Santa Barbara Presenter: Justin Rhodes.
Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; Georgios Kontaxis.

Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; Georgios Kontaxis.
Network and Systems Security By, Vigya Sharma (2011MCS2564) FaisalAlam(2011MCS2608) DETECTING SPAMMERS ON SOCIAL NETWORKS.

Network and Systems Security By, Vigya Sharma (2011MCS2564) FaisalAlam(2011MCS2608) DETECTING SPAMMERS ON SOCIAL NETWORKS.
Using Social Networks to Harvest Addresses Reporter: Chia-Yi Lin Advisor: Chun-Ying Huang Mail: 9/14/2015 1.

Using Social Networks to Harvest Addresses Reporter: Chia-Yi Lin Advisor: Chun-Ying Huang Mail: 9/14/

Similar presentations

Ads by Google