The Rise Of Social Media Botnets

In the social Internet, building a legion of interconnected bots -- all accessible from a single computer -- is quicker and easier than ever before.

The Internet economy is a fascinating development of our time -- whatever you’re looking for, there’s sure to be an e-commerce marketplace gushing with buyers and sellers. The Internet has done to markets what social networks have done to global interactions: created an open, democratized venue with outrageously low barriers to entry. If you have an Internet connection, like nearly half of the earth’s population, you can purchase a ShamWow, pay someone to stand in line for you, download Adobe Photoshop, or even buy a social botnet.

Anatomy of a social botnet
Cyber criminals use social media botnets to disseminate malicious links, collect intelligence on high profile targets, and spread influence. As opposed to traditional botnets, each social bot represents an automated social account rather than an infected computer. This means building a legion of interconnected bots is much quicker and easier than ever before, all accessible from a single computer.

The person commanding the botnet, also known as a bot herder, generally has two options for building their botnet. The first is fairly ad hoc, simply registering as many accounts as possible to a program that allows the herder to post via the accounts as if they were logged in. The second approach is to create the botnet via a registered network application: the attacker makes a phony app, links a legion of accounts, and changes the setting to allow the app to post on behalf of the associated accounts. Via the app, the herder then has programmatic access to the full army of profiles. This is essentially how ISIS built their Dawn of Glad Tidings application, which acts as a centralized hub that posts en masse on behalf of all its users.

Types of social botnet attacks
With the rise of social media, a social botnet can be used to amplify the scope of an attack or automate the dissemination of malicious links. A few types of common attacks include:

Hashtag hijacking. Hashtag hijacking involves leveraging a hashtag to target a certain organization or group. By appropriating organization-specific hashtags, bots distribute spam or malicious links that subsequently appear in organization’s circles and news feeds, effectively focusing the attack on that group. 
Trend-jacking/watering hole. Trend-jacking is similar to hashtag hijacking in that bots use the hashtags to direct their attack. Attackers pick the top trends of the day to disseminate the attack to as broad an audience as possible. In doing so, the attacker makes a “social watering hole” around the trend by planting the payload where the potential victims are interacting; think of a crocodile at the edge of a watering hole, letting the prey come to him. 
Spray and pray. Spray and pray involves posting as many links as possible, expecting to get only a click or two on each. These bots will often still intersperse odd or programmatically generated text-based posts, simply to fly under the social network’s Terms of Service radar. This tactic often leverages clickbait and is coupled with one of the above strategies. 
Retweet storm. Most social networks have an eye peeled for malicious activity. One clear indicator of malicious botnet activity is a post that is instantly reposted or retweeted by thousands of other bot accounts. The original posting account is generally flagged and banned, but the reposts and retweets remain. The parent account, known as the martyr bot, sacrifices itself to spread the attack.
Click/Like Farming. Bots are ideal for inflating followers: a seedy marketing strategy designed to make a page or conversation look more popular.

Monetizing a social botnet
Malicious botnets exist on a spectrum of maliciousness but at their core, all have one of a handful of motivations. On the more benign end of the spectrum is shady marketing. Botnets are leveraged to increase followers or disseminate links and ads. Paying a bot herder to repost or favorite an ad on social media can go a long way in reaching the target audience.

Most botnets fall between the middle and top of the maliciousness spectrum. In the middle of the spectrum are the spam bots: fairly benign from a cyberattack standpoint but still a massive organizational risk if they hijack a company hashtag or target employees and customers. These bots post links to fake Viagra websites, pornography, or too-good-to-be true diet pills, which can do serious damage to brand reputation if they go unchecked.

On the outright malicious top-end of the spectrum are phishing and malware bot campaigns. Bot herders leverage botnets to distribute these links across social media. The lucrative part of the attack involves selling the phished information or the myriad of ways malware is leveraged to extort money, be it data theft, ransomware, blackmail, or banking Trojans.

Unlike traditional botnets, social botnets are not as readily leveraged in DDoS attacks. Bots can repost content, but can’t make requests on an IP address. However, social botnets are leveraged as Command & Control devices to coordinate DDoS attacks by re-posting instructions, including attack date/time, port numbers, domains, and target IPs.

Welcome to the botnet store. In cyber criminal marketplaces and hacker hubs, one of the most traded and highest selling goods are the credentials for a social botnet. Not only do bot herders outright sell their social botnets, but they also rent their botnets. People will pay herders to access their botnets for a discrete amount of time or to control a certain number of bots. Consider a bot herder like the landlord of a massive apartment complex. The highest bidder gets access for a specified amount of time before the herder changes tenants.

An ancient Roman writer, Publilius Syrus, described the foundation of economics succinctly: “Everything is worth what the buyer will pay for it.” For the buyer, social botnets provide a tangible, lucrative value. For the bot herders, building and maintaining their botnets is a full time business.

Luckily for the herders, business is booming.

This article was originally published in Dark Reading. See the full article here.


A Match Made in Heaven: Fraud and Social Media

Since the days of Friendster and GeoCities, fraud has thrived on social media.

Social media is the fraudsters’ playground—an unregulated, highly visible, easily exploitable platform that connects with billions of people and serves a host of purposes in a hacker’s repertoire. Many fraudulent accounts are mere satire or innocuous trolling, but others are created with far more devious intentions.

Even inexperienced cyber criminals can carry out low-tech attacks via social media by building convincing profiles and connecting to the right people. In a targeted attack, hackers connect with colleagues and friends of the target, a tactic called “gatekeeper friending,” to appear more legitimate once connecting to the target itself.

In the unverified world of social media, fraudsters lay claim to whatever they like—that they work at the same organizations, have the same alma mater, or share all the same goals and interests. Never in the history of human communication has deceit been easier. With these elements in place, the hackers can request sensitive information or ask for money. If the target believes the account to be a coworker, relative, or love interest, these things are openly shared.

In a SEC Form 10 filing Facebook estimates that nearly 15 million of its accounts are “undesirable.” Even more are considered “false” accounts—nearly 100 million. According to Barracuda Labs, Twitter is similarly fraudulent—about 10% of accounts. Expect these trends to grow. Fake accounts can be leveraged in more technical attacks as well, such as phishing or malware attacks. Launching such a campaign from a well connected, legitimate-looking profile increases the efficacy of any malware or phishing campaign.

Imitating a brand is also particularly simple. A quick Google image search to get the company logo, and a hacker can set up a fake customer service representative account. Again, these can be low-tech, used to slander the company, or for more advanced ends, such as to spread malware links via targeted scams and attacks. These fraudulent accounts will often try to phish company employees into disclosing brand account credentials or sensitive company data. These attacks can be spread using company hashtags both to make the account seem more legitimate and to amplify the attack across the company’s social footprint.

Impersonations can also target the employees of an organization. These attacks often start with a senior executive impersonator account requesting sensitive information or account credentials from subordinates. Hackers can then use these credentials to gain access to the legitimate brand accounts and post anything they choose, from malicious links to slander and abuse.

Fake accounts have existed since the beginning of social media. A handful of examples from the past half-decade: In 2010 a Paramount Entertainment impersonator rattled off racist and inappropriate tweets. Last year, a Thai woman stole some $200,000 using a fake Furby Instagram account. Also in 2013, a fraudulent Southwest Airlines Facebook page boasted some 2000 followers and an Instagram scam promised VIP deals on American Airlines, Jet Blue, Delta, United Airlines and Emirates.

The app InstLike, as seen in the picture, tricked over 100,000 users into letting the app hijack their account and like random photos. In January, fake Twitter accounts disguised as market researchers connected to traders in the finance world and claimed several small companies were under investigation by the Department of Justice—hackers rode the ensuing stock plunge.

One group historically prone to social media fraud is the military. Hackers launch “romance scams,” in which fake profiles of servicemen abroad connect with loved ones at home, or even initiate online relationships. Once the targeted party believes they are communicating with a real person, the hacker will request money. One unnamed military official in particular has some 30 imposter Facebook accounts. More troubling is the nearly 100 fake Skype accounts – the most popular means of communication between military personnel and loved ones at home, and thus the easiest target for “romance scams.” Even the Russian social networking site VK has 75 different profiles under this same military official’s name.

Most recently, the fake Jamie Dimon Twitter account took center stage in the news of fraudulent social media activity. It began benignly, posting tweets like, “We are excited to announce that our CEO James Dimon has joined Twitter. This account is managed by the Global Media Relations Department.” The account followed notable business leaders and tweeted several times throughout the day.

For organizations, the cost of social media fraud varies on the type and breadth of the attack. Customer scams have serious business implications further down the road, in the form of customer loyalty and support costs. Executive impersonations can result in brand reputation damage or stock manipulation. Businesses are beginning to understand the full scope of this problem—a third of users say they have been sent malware on social, 24% of SMBs say they have been compromised via social, and 72% of companies believe employees’ use of social media poses a threat to their organization.

As long as social media exists, fraud will persist as a problem. It’s time for organizations to take the threat of social media very, very seriously.

This article was originally published in Security Week. See the full article here.

A CISO's Nightmare: Digital Social Engineering

Olga Redmon is an attractive young professional whose resume includes experience in customer service and Microsoft Office.

Her LinkedIn profile boasts 500+ connections and dozens of endorsements, all of which come from Midwestern professionals in the automotive industry. Olga’s profile picture depicts her in a tight black tank top and red lipstick.

Unfortunately for the hundreds of professionals connected to her, she isn’t real. Corresponding accounts on other networks are equally shady and incomplete, none of which have posted in months. No other information about her exists online, and the “People Also Viewed” panel contains equally suspicious profiles of scantily-clad women. But astoundingly, Olga has a considerable following in the Ohio/Michigan area, all of whom seem to believe the account is genuine. The hacker responsible could very well be distributing malicious links via direct message, or executing a comprehensive social engineering campaign targeting the auto industry.

While Olga Redmond could be written off a satirical account, the amount of time and effort someone spent making it seem legitimate and connecting with such specific industry professionals suggests that this is something more sinister than satire. Olga Redmon is a well planned and executed next generation social engineering campaign. Social engineering is when a hacker creates convincing fake profiles to connect and interact with a target or group of targets. Hackers create the profiles, build up a network of connections to make them appear trustworthy, and eventually connect with their actual target. Once the request is accepted a hacker can steal information or launch a cyberattack. Instead of a promising HR, marketing, or sales lead, profiles like Olga Redmon’s can be serious cyber security threat.

Social engineering campaigns are shockingly easy to carry out. This was made clear at the RSA Europe conference last year when IT services provider World Wide Technology presented the results of a comprehensive penetration test carried out for one of their clients. The story will sound familiar – a fake account under the named Emily Williams, claiming to be an MIT grad with 10 years experience. Within days, the pen-testers received endorsements, job offers, and even a company laptop.


Had this been an actual attack, as a cyber criminal could have compromised an entire corporate network or brand by just creating a single fake account. From this point, the potential for attack would be nearly endless. The hacker could launch phishing and malware campaigns with increased effectiveness or begin to mine sensitive company information from unsuspecting employees.

By creating an account like Olga Redmon, no actual hacking, in the traditional sense, has been done, meaning this type of attack goes completely unaddressed by traditional security measures like anti-virus or email gateways. A tweenager with no programming experience could bypass existing security infrastructure with no more than a free afternoon and an Internet connection. Now imagine it in the hands of a skilled hacker.

In the event of a serious information breach, the CMO and the sales team will most likely not be held liable. They will always be able to point to the extensive body of research supporting social media as a robust business development tool. Social media isn’t going anywhere–the CISO need to learn how to manage the corresponding risks.

Social media is already ripe with threats, and not just Olga Redmon. Our research suggests that between 4-8% of all social media links are malicious in nature, meaning the daily number of malicious links on Twitter alone nearly exceeds the population of Spain. Expect these trends to continue.

Monitoring social media is a daunting task. It’s not a matter of logging into a company’s profiles once a day to look for suspicious activity. Employees, customers, executives, and anyone connected to your organization are the new endpoints for attack. A recent survey suggests that of the 74% of Internet users now active on social media, and the average person has 3 different social media accounts. Apply these stats to your company’s workforce and customer base – that is your full attack surface.

Social media is no longer exclusively in the realm of the marketers, and in truth, never has been. Information security professionals need to be in dialogue with all departments that leverage social media across an organization. Risk management plans need to be in place to monitor, identify, combat and remediate social media-based threats. A simple test is this – go back through your traditional information security risk management plans line by line. Ask yourself if, in all their complexity, they could prevent an attack originating from a carefully worded LinkedIn post from Olga Redmon.

The words “social media,” evoke colorful marketing infographics and peppy names like Hootsuite or Savyy or Feedly, not a massive, unchecked cyber security threat vector. CISOs need to change that, because adversaries are utilizing social media as the latest and greatest avenue for targeted attacks.

This article was originally published in Security Week. See the full article here.

Palo Alto Networks: To Buy or Not to Buy...

Palo Alto Networks: To buy or not to buy… that will be the question. 

Palo Alto Networks is about to graduate the Cyber Security M&A Power Rankings, but more importantly, they are about to drive a valuation that should immediately exceed $2B in market cap.

Palo Alto Networks Fast Facts:

  • Palo Alto Networks was founded by Nir Zuk in 2005
  • Over $65M has been raised to drive this beast to IPO from some of the usual suspects to include Sequoia Capital, Capital Partners, Greylock Partners, JAFCO Ventures, and Globespan (the most recent Series D was $8.8M)
  • PAN moved their headquarters into a facility that looks and acts like a web 2.0 software company in San Jose, and yes, you should definitely stay to eat the food in the cafeteria for lunch
  • Nir has acquired about 3 corporate customers per day since launch (6,650+ in sum)
  • The cost of their security appliance line varies from hundreds (PA-200) to tens-of-thousands (PA-5000)

If we only knew the successes and growth trajectory of the company, then this would certainly be a buy at almost any strike price. Palo Alto Networks will IPO soon and I consider it a value stock until it hits $2B in cap. Post $2B, it becomes a growth stock and my personal belief is that there is plenty of room to see this company grow into a $4B organization over the next few years. I am expecting PAN to continue to mature its enterprise offerings, go after the malware market in full, and grow it’s international distribution footprint. All of this will happen in the face of competition who will be working on creating the application identification & control technology that PAN invented seven years ago.

Buy, sell or simply watch, Palo Alto Networks has waged war on the entire network security industry.


Holy Unicorns!!! Boeing Phone and NephronMaxx™

It is extremely rare to spot a unicorn in broad daylight. Furthermore, you have better odds of starting the next Facebook than spotting two unicorns on the same day. Well my friends, I can happily say that I just saw two unicorns. Two organizations and leaders are attempting to break the mold of “being satisfied as large uninventive companies.”

W. James McNerney Jr. (Chairman and CEO of Boeing) and Linda P. Hudson (CEO of BAE) are both attempting to innovate in the cyber security market organically with new product offerings as opposed to acquiring technology like the heavy majority of their peers. These leaders believe they can change the historical success rate of system integrators that build and launch security products. Fifteen minutes of Googling should be able to uncover a treasure trove of system integrator ventures that date back to the 90′s with the Voyeur and Hydra projects.

Boeing is in the process of finalizing the development of the “Secure Boeing Phone” and BAE is preparing to launch their new “Large File Content Filter”, aka NephronMaxx™. Although there is little doubt that these technologies and products are built on the backs of large Government clients; they allegedly will satisfy a niche requirement that has little to no competition. If successful, these products could be put into the hall of fame like the STU-III or the Baltimore Ravens’ Ray Lewis. Conversely, if they go the route of the dodo bird most people will likely forget quickly and merely remember these organizations as the large SI’s they are.

Again kudos and best of luck to you both!

**NephronMaxx™ is a trademark of BAE Systems

Cyber Security's Next Generation Catchphrase

With each passing season comes a new catchphrase, a new marketing tagline, a treasure chest of interactive adwords that will ultimately benefit Google less than those copycat security vendors who jump on the bandwagon. Information security became Internet security became E-security which became digital security which became information security again and of course, we now are knee deep in the mega cyber security industry. Companies looking to protect organizations against vulnerabilities have been lapped by those protecting against threats. Threats have become persistently advanced and for some strange coincidence are now synonymous with groups of state-sponsored hackers.

Managed services once built and leveraged software as a service and now somehow both have morphed into cloud services. Viruses spawned malware and quickly thereafter malware gobbled up rootkits, trojans, and spyware.  Worms grew up and are now adult bots.
These buzz words make this industry money and tons of it. With each Christmas comes the new set of blinking slogan lights. These slogans will drive the new reports, dashboards, and features and most importantly another year of must-have security products that protect you from the “Next Generation” bad guys. Without that new security purchase, all previous security technology investments are null and your job, no your company’s brand, no the organization’s entire digital infrastructure is currently in grave danger.

So if you believe in Valentine’s Day, Halloween or Hallmark then take a deep breath and do not get too worked up on our little secret of productization and marketing in this industry. Besides it will be Christmas in Q4 soon enough and our vendors will be counting their Next Generation Firewalls, Advanced APT Defenses, Cloud Security Services, and Mobile Malware Security App presents that are under the tree.

First Name Foster

My name is James C. Foster and I have been in the cyber security industry for as long as I can remember. My passion and mission in this industry has, and will always be to protect the United States, her allies, corporations, and citizens. Unlike any other IT-related sector, the cyber security industry has an adversary. We are constantly in competition, at war, and at a tipping point in time. Our manufacturers and service providers constantly have to stay ahead of the threat who is increasingly finding new ways to bypass the protective measures and defenses we have built and implemented.

In 2011, The Register estimated that the global drug market was worth approximately $288B while in the same report the total estimated annual value of the cyber black market was estimated at $388B. The value, stakes, and threat has never been greater – that is why I continue to help drive this industry and lead the “good guys.”