- Social Site-

Last update 28.09.2017 14:48:34

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8

Facebook Awards $100,000 Prize for Spear-Phishing Detection Method

18.8.2017 securityweek Social
Facebook announced on Thursday the winners of its 2017 Internet Defense Prize. A team of researchers from the University of California, Berkeley, and the Lawrence Berkeley National Laboratory earned the $100,000 prize for a novel technique of detecting credential spear-phishing attacks in enterprise environments.

The new method, presented these days at the USENIX Security Symposium, combines a new non-parametric anomaly scoring technique for ranking security alerts with features derived from the analysis of spear-phishing emails.

To test their method, the researchers analyzed more than 370 million emails received by a large enterprise’s employees between March 2013 and January 2017.

The first part of the detection method relies on the analysis of two key components: domain reputation features and sender reputation features. The domain reputation feature involves analyzing the link included in an email to see if it poses a risk. A URL is considered risky if it has not been visited by many employees from within an organization, or if it has never been visited until very recently.

The sender reputation feature aims to identify spoofing of the sender’s name in the From header, a previously unseen attacker using a name and email address closely resembling a known or authoritative entity, exploitation of compromised user accounts, and suspicious email content (i.e. messages that reference accounts and credentials, or ones that invoke a sense of urgency).

Once data has been collected about the sender and the URL, the system needs to decide whether or not an alert should be generated for the security team. The method proposed by the researchers, dubbed “Directed Anomaly Scoring (DAS),” ranks all events by determining how suspicious each event is compared to other events. After all the events have been classified, the DAS system selects the highest-ranked events and alerts the security team about their existence.

According to the experts, the new method detected 17 of 19 spear-phishing emails and had a false positive rate of less than 0.005%, which they claim is 200 times lower than what other researchers had previously obtained.

“This research is important for two reasons,” said Facebook’s Nektarios Leontiadis. “First, in recent history, successful spearphishing attacks have led to a number of prominent information leaks. Every time the community improves the detection or prevention of compromise from a technical standpoint, the human factor becomes an even stronger focal point of adversaries. Helping protect people from social engineering attacks becomes even more important. This research can help reduce the potential of such compromises happening in the future.”

“Secondly, the authors acknowledge and account for the cost of false positives in their detection methodology. This is significant because it factors into the overhead cost and response time for incident response teams,” Leontiadis added.

Facebook also announced that two other groups earned honorable mentions for their research on preventing dangling pointer flaws and the use of static analysis techniques to find Linux kernel driver vulnerabilities.

Lithuania to extradite the man responsible for 100M email scam against Google and Facebook
19.7.2017 securityaffairs

A Lithuanian court on Monday ruled the extradite of a man to the US to face charges of allegedly swindling $100M from Google and Facebook via email scam.
A Lithuanian man who is allegedly responsible for a $100 million scam (roughly 87 million euros) from tech companies Google and Facebook will be extradited to the United States soon.

The Lithuanian citizen Evaldas Rimasauskas (48) was arrested in March by local authorities. The US Law enforcement requested the arrest because the man stolen by the two IT giants the huge amount of money by posing as a large Asia-based hardware vendor.

The fraudulent activities happened between 2013 and 2015.

“The court has ruled in favor of extraditing Lithuanian citizen Evaldas Rimasauskas to the United States for criminal prosecution,” Judge Aiva Surviliene said.

Evaldas Rimasauskas email scam
Evaldas Rimasauskas is pictured in district court in Vilnius in May 2017 – Source AFP

The indictment explicitly mentioned Facebook and Google. According to the investigators, Rimasauskas created email accounts to trick victims into believing that the emails were sent by employees at the Asian hardware vendor.

He is accused of forging invoices, contracts, and letters to trick the administrative personnel into wiring over $100 million to overseas the bank accounts that he was managing.

The Rimasauskas’s lawyer, Snieguole Uzdaviniene, announced the intention of the man to appeal against the indictment.

Google confirmed that its systems were not hacked by the criminal, anyway, the company reviewed its internal processes and implemented countermeasures against email scams and BEC.

“We detected this fraud against our vendor management team and promptly alerted the authorities,” a Google spokesman told AFP.”We recouped the funds and we’re pleased this matter is resolved.”

Rimasauskas is waiting for the extradition and faces a maximum of 20 years in jail if convicted.

Did you receive a WhatsApp subscription ending email or text? Watch out!
17.7.2017 securityaffairs 

Did you receive a WhatsApp subscription ending email or text? Watch out! It is a scam to steal your payment and personal data.
Researcher Graham Cluley is warning of bogus ‘WhatsApp subscription ending’ emails and texts.

Internet users are receiving an email pretending to be from WhatsApp and warning them of the ending for an alleged WhatsApp subscription.

Although the company stopped requesting any payment since January 2016, crooks are attempting to exploit the fact that in the past, WhatsApp used to ask users to pay a fee after they had been using the service for a year.

Using this social engineering attack, crooks aim to trick users into clicking links including in the messages that might result in they handing their payment information over to attackers.

“Have you received an email claiming to come from WhatsApp that warns that you have been using the service for more than one year and that it’s time to take out a subscription?”

“Beware! The emails are, of course, a scam designed to trick you into clicking links that might result in you handing your payment information over to fraudsters.” states the blog post published by Graham Cluley on the ESET blog.

whatsapp scam email

WhatsApp scam subscription-expired

Below a portion of the malicious email:

Your subscription is ending soon

Please update your payment information now


Our records indicate that your WhatsApp trial service is exceeding the one year period. At the completion of your trial period your WhatsApp will no longer be able to send or receive message. To continue using WhatsApp without interruption, we need you to subscribe for any of our subscription periods.

As usual, you should always be wary of unsolicited email messages and SMS text messages claiming to come from WhatsApp demanding payments or the verification of your account’s credentials.

“You ultimately decide what links you click on, and whether you hand over your passwords and payment card details. Always think twice, because the wrong decision could prove costly.” concluded Graham Cluley.

Australia to Compel Chat Apps to Hand Over Encrypted Messages

14.7.2017 securityweek Social

Social media giants like Facebook and WhatsApp will be compelled to share encrypted messages of suspected terrorists and other criminals with Australian police under new laws unveiled Friday.

It comes after Prime Minister Malcolm Turnbull warned encrypted messages were increasingly being used by terrorists, drug traffickers and paedophile rings, calling for legislation to be modernised to allow police to do their jobs.

"We need to ensure that the internet is not used as a dark place for bad people to hide their criminal activities from the law," he said, adding that the tech giants must "face up to their responsibility".

"They can't just wash their hands of it and say it's got nothing to do with them."

Australian authorities can currently obtain information from telecommunications companies, but not internet firms that use data encryption to guarantee user confidentiality.

Encryption essentially involves complex algorithms scrambling data to make it indecipherable until unlocked by its owner or when it reaches its destination.

"Because of this end-to-end encryption, all of that information, all of that data, that communication is effectively dark to the reach of the law," said Turnbull.

"And that's not acceptable. We are a society, a democracy, under the rule of law, and the law must prevail online as well as offline."

The laws will be introduced into parliament by the end of the year.

Attorney-General George Brandis said the legislation would be similar to Britain's Investigatory Powers Act, which imposes an obligation on companies to cooperate with investigations.

They would provide Australian intelligence and law enforcement authorities with coercive powers as a "last resort" if tech companies did not voluntarily help, said Brandis.

"It is vitally important that the development of technology does not leave the law behind," he said.

However, Silicon Valley tech companies have so far refused to bend to similar legal requests.

Facebook said it already had a system in place to help police and intelligence officials in Australia.

"We appreciate the important work law enforcement does, and we understand their need to carry out investigations. That's why we already have a protocol in place to respond to requests where we can," a spokesperson said.

"At the same time, weakening encrypted systems for them would mean weakening it for everyone."

Apple told AFP it had no comment on the new legislation.

British Home Secretary Amber Rudd will travel to the United States shortly to discuss the issue further with her American counterpart and tech companies, said Turnbull.

The US government last year locked horns in a legal battle with Apple, seeking to compel the iPhone maker to help decrypt a device used by one of the attackers in the San Bernardino shooting rampage.

Authorities eventually dropped the case after finding a way to break into the iPhone without Apple's help.

Turnbull admitted it may be difficult to enforce the laws if firms do not comply, but said it was important to "recognise the challenge and call on those companies to provide the assistance".

New German Law Risks Chilling Effect on Free Speech in Social Media

3.7.2017 securityweek Social

Germany passed a new law on Friday that imposes fines of up to €50 million on social media services with more than 2 million German users if they fail to remove hate speech or other illegal content. Where the infringement is obvious, it must be done within 24 hours; where it is less obvious it must be done within 7 days.

This must be done in response to a received complaint rather than a judicial instruction -- which means that social networks, such as Facebook, need to determine for themselves whether the content is legal or illegal.

The 'Enforcement on Social Networks' law, also known as the 'NetzDG' law, has both supporters and opponents. The Central Council of Jews -- Germany's main Jewish organization -- commented, "Jews are exposed to anti-Semitic hatred in social networks on a daily basis. Since all voluntary agreements with platform operators produced almost no result, this law is the logical consequence to effectively limit hate speech."

Facebook has a different view. It said in a statement, "We believe the best solutions will be found when government, civil society and industry work together and that this law as it stands now will not improve efforts to tackle this important societal problem."

Many civil rights groups fear it will have a chilling effect on free speech. Writing just before the law was adopted, digital rights group EDRi wrote, "In the current version [the one adopted by the German lawmakers], upload and content filters would not be mandatory, but whether or not mandatory, they are likely to be applied by big companies like Facebook. These companies are, quite rationally, driven by the motivation to avoid liability, using the cheapest options available, and to exploit the political legitimization of their restrictive measures for profit. This can only lead to privatized, unpredictable online censorship."

Facebook's current filters have been criticized separately. According to an analysis by Propublica, Facebook seeks to develop universally acceptable standards rather than national standards. The result can be conflicting.

For example, it did not remove a post from a U.S. congressman Clay Higgins which called for the slaughter of radicalized Muslims: "Kill them all. For the sake of all that is good and righteous. Kill them all." It did, however, remove a post from Boston poet and Black Lives Matter activist Didi Delgado who wrote, "All white people are racist. Start from this reference point, or you've already failed."

A common concern over NetzDG is that the size of the potential fines will persuade social media giants to err on the side of their own safety and consequently removing content that is perfectly legal. "Many of the violations covered by the bill are highly dependent on context, context which platforms are in no position to assess," commented the UN Special Rapporteur to the High Commissioner for Human Rights, David Kaye.

The law could still be stopped by the European Commission since many critics claim that it contravenes basic EU principles on freedom of expression. However, it could also go the other way. According to Spiegel Online today, German Federal Minister of Justice Heiko Maas has plans for government control over the algorithms that underlie the social networks' content filtering. The plans, suggests Spiegel, would represent "a new regulation of the Internet corporations -- affected by a review of the algorithms would be platforms such as Facebook and Google."

According to Maas, "transparency in the algorithms is the guarantee for preventing discrimination and for self-determination."

Social Media 'Bots' From Russia Distorting Global Politics: Study

22.6.2017 securityweek Social
A wave of "computational propaganda," largely driven by Russia, is impacting politics around the world by spreading misinformation designed to manipulate public opinion, researchers said Tuesday.

The Oxford University team presented research in Washington on the use of automated programs or "bots" on social media aimed at influencing politics in nine countries, including the United States.

"Computational propaganda is one of the most powerful new tools against democracy," said the research paper directed by Oxford's Philip Howard and Samuel Woolley.

The research is not the first to note the existence of Twitter bots and other automated tools aimed at disrupting politics but offers insight into the global scale of efforts, which are traced mainly to Russia but also operate in China and in the target countries themselves.

"We know that there is a building with hundreds of employees in St. Petersburg with a budget of millions of dollars dedicated to manipulating public opinion" in a number of countries, Howard said at a media presentation.

Howard said the Russian style of propaganda involves "seeding multiple, conflicting and contradictory stories."

Woolley said the goal of this effort "is to confuse, it's not necessarily to sell a fake story. It's to make people so apathetic about politics and policy in general that they don't really want to engage anymore."

The research team analyzed tens of millions posts on seven different social media platforms during elections, political crises, and national security incidents between 2015 and 2017 in Brazil, Canada, China, Germany, Poland, Taiwan, Russia, Ukraine, and the United States.

- Social media battles -

While propaganda and fake news are longstanding tools in politics, the use of automation and algorithms to create bots on social media appears to have accelerated the spread of misinformation.

Platforms like Facebook and Twitter have taken steps to curb the spread of fake news stories while also arguing it is not their role to edit or control content.

The researchers said Twitter is more vulnerable to bots because it allows users to set up anonymous accounts and its programming platform is open.

In the United States, the researchers said they concluded that bots had "measurable influence" during the 2016 election by affecting the flow of information.

"Social media bots manufacture consensus by artificially amplifying traffic around a political candidate or issue," the researchers wrote.

"Armies of bots built to follow, retweet, or like a candidate's content make that candidate seem more legitimate, more widely supported, than they actually are... the illusion of online support for a candidate can spur actual support through a bandwagon effect."

In Russia, the researchers said they found 45 percent of the political conversation is dominated by "highly automated accounts."

While Twitter was an effective tool for pro-democracy activists during the Arab Spring movements starting in 2010, the researchers say authoritarian governments now use these platforms to suppress social activism.

Perhaps the most flagrant examples of computational propaganda are in Ukraine, they said, describing it as "the frontline of numerous disinformation campaigns in Europe."

They said fake stories such as one about "a crucified boy" or another about Ukrainian soldiers being paid with "two slaves and a piece of land" have turned into "textbook examples of how propaganda works."

Google Steps Up Efforts to Block Extremism, Following Facebook

19.6.2017 securityweek Social
Google is stepping up its efforts to block "extremist and terrorism-related videos" over its platforms, using a combination of technology and human monitors.

The measures announced Sunday come on the heels of similar efforts unveiled by Facebook last week, and follow a call by the Group of Seven leaders last month for the online giants to do more to curb online extremist content.

"While we and others have worked for years to identify and remove content that violates our policies, the uncomfortable truth is that we, as an industry, must acknowledge that more needs to be done," said a blog post by Google general counsel Kent Walker.

Walker said Google would devote more resources to apply artificial intelligence to suppress YouTube videos used in support of extremist actions.

"This can be challenging: a video of a terrorist attack may be informative news reporting if broadcast by the BBC, or glorification of violence if uploaded in a different context by a different user," he said.

"We will now devote more engineering resources to apply our most advanced machine learning research to train new 'content classifiers' to help us more quickly identify and remove extremist and terrorism-related content."

Google acknowledged that technology alone cannot solve the problem, and said that it would "greatly increase the number of independent experts" on the watch for videos that violate its guidelines.

"Machines can help identify problematic videos, but human experts still play a role in nuanced decisions about the line between violent propaganda and religious or newsworthy speech," Walker said.

Google plans to add 50 non-government organizations to the 63 it already works with to filter inappropriate content.

"This allows us to benefit from the expertise of specialized organizations working on issues like hate speech, self-harm, and terrorism," Walker wrote.

"We will also expand our work with counter-extremist groups to help identify content that may be being used to radicalize and recruit extremists."

A similar initiative was announced last week by Facebook, which earlier this year said it was adding 3,000 staff to track and remove violent video content.

Google's Walker said the online giant would start taking "a tougher stance on videos that do not clearly violate our policies," including videos that "contain inflammatory religious or supremacist content."

He said YouTube would expand its role in counter-radicalization efforts using an approach that "harnesses the power of targeted online advertising" to reach potential recruits for extremist groups and offers "video content that debunks terrorist recruiting messages."

Facebook inadvertently revealed moderators’ identities to suspected terrorists
18.6.2017 securityaffairs
A bug in the software used by Facebook moderators to review inappropriate content resulted in the disclosure of identities of moderators to suspected terrorists.
According to the Guardian, the social network giant Facebook put the safety of its content moderators at risk after inadvertently exposing their personal details to suspected terrorist users on the social network.

A bug in the software used by moderators to review and remove inappropriate content resulted in the disclosure of personal profiles of content moderators while they were reviewing the content from the platform.

The bug in Facebook’s moderation application was discovered in 2016 and caused the personal profiles of content moderators to appear among activity notifications for online groups after moderators had removed the groups’ administrators for terms-of-service violations.

“The security lapse affected more than 1,000 workers across 22 departments at Facebook who used the company’s moderation software to review and remove inappropriate content from the platform, including sexual material, hate speech and terrorist propaganda.” reported The Guardian.

“A bug in the software, discovered late last year, resulted in the personal profiles of content moderators automatically appearing as notifications in the activity log of the Facebook groups, whose administrators were removed from the platform for breaching the terms of service. The personal details of Facebook moderators were then viewable to the remaining admins of the group.”

Facebook “inadvertently” exposed the personal details of over 1,000 Facebook employees, approximately 40 of them were from special counter-terrorism unit in Dublin, Ireland.

For six workers the incident was “assessed to be ‘high priority,’ the risk now for the workers is that terrorists and lone wolves could insert them in a kill list.

“Six of those were assessed to be “high priority” victims of the mistake after Facebook concluded their personal profiles were likely viewed by potential terrorists.” continues The Guardian. “The Guardian spoke to one of the six, who did not wish to be named out of concern for his and his family’s safety. The Iraqi-born Irish citizen, who is in his early twenties, fled Ireland and went into hiding after discovering that seven individuals associated with a suspected terrorist group he banned from Facebook – an Egypt-based group that backed Hamas and, he said, had members who were Islamic State sympathizers – had viewed his personal profile.”
terrorists Facebook

The employee is one of the numerous low-paid contractors, he confirmed that he’d relocated to eastern Europe for five months from fear of retaliation.

“It was getting too dangerous to stay in Dublin,” the employee said. “The only reason we’re in Ireland was to escape terrorism and threats.”

Facebook confirmed the breach:
“As soon as we learned about the issue, we fixed it and began a thorough investigation to learn as much as possible about what happened.” said a company spokesperson.

Two Tickets as Bait
10.6.2017 Kaspersky  Social
Over the previous weekend, social networks were hit with a wave of posts that falsely claimed that major airlines were giving away tickets for free. Users from all over the world became involved in this: they published posts that mentioned Emirates, Air France, Aeroflot, S7 Airline, Eva Air, Turkish Airlines, Air Asia, Air India, and other companies. We cannot rule out that similar posts mentioning other brands may appear in the nearest future as well.

Naturally, there have been no promotions to give away airline tickets. Users were addressed by fraudsters who assumed the names of the largest airlines in order to subscribe their victims to paid mobile services, collect personal data, install malware, and increase traffic to websites with advertisements and dubious content. To do this, fraudsters have been registering a multitude of domains, where they host content on behalf of well-known brands. At the mentioned resources, users are congratulated on winning two airline tickets. Then, they’re asked to perform a series of actions to receive the gift. As a result, the victim ends up on another website that belongs to fraudsters, which monetizes their “work” and spreads information about the nonexistent campaign on a social network.

An example of a social-network post with a link to a fraudulent website

This is by no means the first case where users themselves have started spreading fraudulent content on social networks. We have previously about a fake petition in defense of Suarez, which was distributed by Facebook users, fake donations, and pornware. All of the incidents have one thing in common: the threats are distributed over social networks, which users themselves often participate in.

The attack model

Let us return to the most recent case and examine it a bit closer. By following the link from a social network news feed, a user navigates to a fraudulent website. We have found a series of domains that belong to fraudsters: deltagiveaway.com, vvxwx9.us, aeroflot-com.us, aeroflot-ticket.us, qq3mz9.us, emiratesnow.us, emiratesgo.us, com-beforeitsends.us, emirates.iwelltrip.us, and many others.

Some examples of fraudulent websites that make use of famous airline brands

Since the fraudulent schemes only varied by logo, language, and color scheme, depending on the brand, let’s take one website out of the many and discuss it. The website that claims to belong to American Airlines contains information about a promotional giveaway of two tickets to respondents who must answer three questions.

An example of a fraudulent website that uses American Airlines branding.

After completing the survey, the victim is asked to take two more steps. First, the victim is asked to post the promotional information on his or her page on a social network and thank the airline in the comment. Secondly, the victim has to click the “Like” button. It should be noted that the web page shows what appear to be Facebook comments from users who have already won tickets. An investigation showed that the comments are actually fake. We can even leave our own comment, but it will disappear after the page is refreshed. All of this is directed at coaxing a victim into believing that the page is legitimate.

We would like to note that most comments are posted in various languages by the same people, and the messages are similar in content and most likely are translated using machine translation.

After performing all of the necessary actions, the website redirects the user to various web pages by using the geolocation feature. In some cases, we were redirected to the websites shown below.

Each time all of the same aforementioned actions are performed and the same survey is completed, the website does something different and may redirect users to various web pages. We have found websites with a variety of dubious content, including lotteries, advertisements, new surveys with giveaways, links to suspicious files that can be downloaded, and so on.

Among other things, some websites suggests users download a certain useful file and at the same time urge them to install a potentially dangerous extension for a browser. The extension obtains permission to read all of the data in a browser, potentially allowing fraudsters to get a hold of passwords, logins, credit-card data, and other confidential information entered by the user. Aside from that, later on, the extension may continue spreading links that redirect users to the extension itself on Facebook but on behalf of the user and among his or her friends. This is exactly the threat that was carried out by an attack that we discussed previously.

At the moment of publication, this indicated extension alone had been installed on the systems of over 5,000 users, according to the statistics of the web apps store.

The number of victims and their location

Most resources that utilize the fraudulent scheme contain links to external services that collect statistics for website traffic. These data show that the attack was widely distributed and was mostly directed at smartphone users. For example, here are some impressive statistics for only two of all the domains that we discovered.

Statistics for the aeroflot-ticket.us website

Statistics for the aeroflot-ticket.us website

Statistics for the emirateswow.us website

Unfortunately, numerous users took the bait of the fraudsters. These users tried their luck and did not pay attention to a multitude of signs that are typical for a scam, which resulted in spreading potentially dangerous content among friends over a social network.

Some examples of published posts with links to fraudulent websites

Thus, fraudulent web resources and a plethora of their counterparts across the Internet gained huge popularity in a matter of hours.
The possibilities of social networks are endless when it comes to spreading information across the globe. These fraudsters only confirm this fact.

Some examples of published posts with links to fraudulent websites

Finally, here are a few pieces of advice.

You should be sensibly skeptical about similar “promotions”. Before navigating to suspicious links and entering your personal data on a web resource, you should contact a representative of the company that is supposedly running the promotion and confirm the information.
A scrupulous examination of a web resource’s address will help identify fraud. It may be a good idea to verify whether the domain belongs to the company indicated on the website or not. Services that provide whois data about domains may prove helpful in that endeavor.
Be responsible when posting content from your account on a social network. In order to avoid becoming involved in a fraudulent scheme, do not spread information with questionable authenticity.
Do not install suspicious browser extensions. Upon detection of an installed extension that seems suspicious or whose purpose you do not remember, delete the extension immediately in the settings section of your browser and change the passwords of websites that you visit, especially those dealing with online banking.
Use security solutions that protect users from phishing, such as Internet Security-level solutions and higher. They will block any attempts to navigate your browser to fraudulent websites.