Endpoint

8/31/2017
03:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

New Facebook, Instagram Bugs Demonstrate Social Media Risk

Security flaws in Facebook Messenger and Instagram let hackers propagate attacks and steal personal data.

Researchers at Kaspersky Lab recently discovered cyberattacks on Instagram and Facebook Messenger intended to steal credentials and spread malware, respectively. Both instances demonstrate the potential danger when an attacker seeks power in a social network.

The two attacks, while similar in their use of social networks, were otherwise different in nature. The Instagram attacks were manual and targeted high-profile victims. The Facebook campaign used advanced tactics to infect a large and indiscriminate pool of users.

Instagram's vulnerability exists in mobile version 8.5.1, which was released in 2016. Attackers can simply select "reset password," capture the request using a Web proxy, select a victim, and submit a request to Instagram's server with the target's unique identifier or username. The server returns a JSON response with the victim's personal data, like email and phone number.

"The attacks are quite labor intensive," Kaspersky Lab researchers explain. "Each one has to be done manually since Instagram uses mathematical calculations to prevent attackers from automating the request form."

Hackers were found on an underground forum exchanging personal credentials for celebrity accounts. Researchers reported the bug to Instagram on August 29; on August 30, the photo-sharing app had warned users of the vulnerability and issued a fix. Users are advised to update their apps to the latest version and alert Instagram to emails about password restoration.

David Jacoby, senior security researcher for Kaspersky Lab's Global Research and Analysis Team, picked up on the Facebook Messenger-driven malware when he received a suspicious note from a distant contact. Within minutes, he realized he had received an advanced form of multi-platform malware/adware, which was using multiple domains to prevent tracking.

Infected messages contain a shortened link, which leads victims to a Google Doc containing an image resembling a fake video player with the sender's profile photo. Google Chrome users who click the link are redirected to a fake YouTube page, which prompts them to download a fake Chrome extension. If installed, it spreads malicious links to the victims' online friends.

Chrome was the browser highlighted in a blog post co-authored by Jacoby and Frans Rosén, security advisor at Detectify, who was also investigating the Facebook malware. The two determined it was clear Chrome was a targeted browser for spreading the attack to other victims; in other browsers, ads were displayed and adware was downloaded on the victim's machine.

Jacoby and Rosén found several Chrome extensions were used in this campaign. All were newly created with stolen code, and similar names, to legitimate extensions. Each contained obfuscated background script that would only fetch an external URL if installed from the Chrome Webstore. Locally installed versions would not trigger an attack.

"The script would like a page on Facebook that was hardcoded in the script," researchers explain. "This was most likely used by the attackers to count the amount of infected users by keeping an eye on the amount of likes on this page."

Indeed, when observed, the "like" count quickly rose from 8,900 at one point to 32,000 a few hours later.

Google Chrome's security team disabled all malicious extensions to stop the spread of attack as much as possible; however, attackers had stolen all the access tokens from victims' accounts. This means attackers can still access these profiles, even if victims have changed their passwords, signed out, or disabled platform settings.

"We are currently discussing this with Facebook," Jacoby and Rosén report, "but at the moment it seems like there is no simple way for a victim to revoke the token the attackers stole."

The Facebook attack heavily relied on realistic social interactions, dynamic user content, and legitimate domains to spread. Researchers advise users to be careful when letting extensions control the bowser, and know which extensions they are running in the browser.

Tip: In Chrome, you can write chrome://extensions/ in your URL field to see a list of enabled extensions.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2017 | 5:54:11 PM
Insta
Makes sense that the Instagram attacks only tended to target high-profile accounts. The damage one could do with the typical Instagram account is quite limited indeed (esp. w/ MFA).
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.