Stefan Tanase, Kaspersky Lab UK: When the Web 2.0 sneezes, everyone gets sick
February 2010 by Stefan Tanase, Senior Security Researcher, Kaspersky Lab UK
Towards the end of the noughties Web 2.0 was the buzzword of the Internet. As we enter this new decade the popularity of social networking websites such as YouTube, Friends Reunited, Twitter, Facebook, LinkedIn and a whole raft of new online innovations that facilitate greater communication show no signs of abating.
Web 2.0 is not just a consumer phenomenon. Many organisations of all shapes and sizes have been quick to recognise its considerable potential to create a direct dialogue with their customers. Furthermore, many employees will access social networking sites either from the office, or externally on a device belonging to the organisation, whether authorised or not. Yet, whilst the vast majority of the business media’s spotlight has been pinpointed on the wasted man-hours resulting from employees using such sites for personal use, little focus has been placed on the real and present danger from the growth of Web 2.0-specific Cybercrime.
The rise of Web 2.0 malware
In 2007, when Web 2.0 was in its relative infancy, there were just over 10,000 malicious software samples reported to be spreading via social networking sites. This figure rose to over 25,000 during 2008 and the statistics for the last year will undoubtedly be significantly higher again, in-line with an overall trend in malware growth rates (today Kaspersky Lab detects over 35,000 new malware threats each day).
So why are Web 2.0 attacks on the rise? For the same reason that there is currently more Windows-based malware than Mac malware, it all comes down to economies of scale and effectiveness. Put simply, Cybercriminals go where the crowds are! Social networking sites have experienced exponential growth in usage - in fact it is estimated that around 80% of all Internet users accessed social networking sites in 2009, equivalent to more than one billion people. The ever-entrepreneurial Cybercriminals have been quick to identify this ‘market’ opportunity and the fruits of their labour (for example, stealing passwords and confidential information that can be sold or used for profit) have proven successful with malicious code distributed via social networking sites proving to be 10 times more effective than malware spread via email.
What is a Web 2.0 attack?
A Web 2.0 attack will typically comprise one or more social networking sites, a malicious website (often set-up for the purpose of extracting money from the unsuspecting visiting) and a victim. Web 2.0 attacks take advantage of technological factors such as zero day vulnerabilities, unpatched and unlicensed software, as well as human traits, exploiting the trust, curiosity and sometimes naivety that is often associated with these seemingly ‘friendly’ social networking sites.
The summer of Koobface
Whilst the upward trend in the volume of Web 2.0 malware continues to rise, it was in the middle of 2009 that we witnessed a major milestone in the evolution in the latest phase of social engineering-based attacks. In fact, the activity reported during June 2009 by far exceeded any other month on record. The culprit was Koobface (an anagram of Facebook) that was discovered by Kaspersky Lab over one year ago, targeting Facebook and MySpace accounts.
Over 575 new variants of this now infamous worm were reported throughout June 2009, spreading through a legitimate user’s account to their friends’ profiles. Comments and messages sent by the worm would contain a link to a fake YouTube style website which invited users to download a ‘new version of Flash Player’. The worm, rather than a media player, would then be downloaded to victim machines and once infected, the user would unknowingly start spreading such messages to his or her friends. In the meantime, the functionality of the worm has been extended.
Koobface continues to evolve and has broadened its reach to include not only Facebook and MySpace, but also sites including Hi5, Bebo, Tagged, Netlog and Twitter.
One particular phenomenon of Twitter is the URL shortening services, such as tinyurl, bit.ly, or myloc.me, that help users keep their tweets within the 140 character limit, whilst still being about to provide a link to an external website. In fact, approximately 26 percent of all tweets posted on Twitter contain shortened URLs. Cybercriminals have recognised that they can take advantage of obscuring the true URL from the reader in an attempt to lure them to malicious websites or spam websites. Currently, Kaspersky Lab scans nearly 500,000 new unique URLs that appear in Twitter posts every day and of those, between 100 and 1,000 are malware attacks.
Don’t let your network catch a cold
Web 2.0 threats are becoming more common, creative and varied. For example, in December 2009 the Trojan program, Twetti, was identified. This Trojan works by creating a request to the API (application programming interface – popular with both Cybercriminals and Twitter), which results in data on so-called ‘trends’ – i.e. the topics most discussed on Twitter. The data returned is then used to create an apparently random domain name, which the Cybercriminals have registered in advance having used a similar method, and a redirect to this domain is created. The main part of the malware will be placed on the domain. In other words, the malicious link and the redirect are created on the fly via an intermediary, which in this case happens to be Twitter.
It is inevitable that the risk of the Web 2.0 sites ‘sneezing’ will continue to increase as long as their popularity remains. However, this should not mean your company network gets sick.
As with any form of sickness, prevention is always better than cure and this must begin with an ongoing programme of employee education and awareness. Furthermore, the enforced adherence to an enterprise-wide Internet & email usage policy should be complemented by up-to-date security software for every device that connects to the network, and a software asset management strategy that ensures only licensed and fully patched software is being used. Take these precautionary measures and you will give your organisation the best possible chance of remaining fit and healthy, whilst still reaping the many rewards of using Web 2.0 to drive your business forward.