Endpoint

8/31/2017
03:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

New Facebook, Instagram Bugs Demonstrate Social Media Risk

Security flaws in Facebook Messenger and Instagram let hackers propagate attacks and steal personal data.

Researchers at Kaspersky Lab recently discovered cyberattacks on Instagram and Facebook Messenger intended to steal credentials and spread malware, respectively. Both instances demonstrate the potential danger when an attacker seeks power in a social network.

The two attacks, while similar in their use of social networks, were otherwise different in nature. The Instagram attacks were manual and targeted high-profile victims. The Facebook campaign used advanced tactics to infect a large and indiscriminate pool of users.

Instagram's vulnerability exists in mobile version 8.5.1, which was released in 2016. Attackers can simply select "reset password," capture the request using a Web proxy, select a victim, and submit a request to Instagram's server with the target's unique identifier or username. The server returns a JSON response with the victim's personal data, like email and phone number.

"The attacks are quite labor intensive," Kaspersky Lab researchers explain. "Each one has to be done manually since Instagram uses mathematical calculations to prevent attackers from automating the request form."

Hackers were found on an underground forum exchanging personal credentials for celebrity accounts. Researchers reported the bug to Instagram on August 29; on August 30, the photo-sharing app had warned users of the vulnerability and issued a fix. Users are advised to update their apps to the latest version and alert Instagram to emails about password restoration.

David Jacoby, senior security researcher for Kaspersky Lab's Global Research and Analysis Team, picked up on the Facebook Messenger-driven malware when he received a suspicious note from a distant contact. Within minutes, he realized he had received an advanced form of multi-platform malware/adware, which was using multiple domains to prevent tracking.

Infected messages contain a shortened link, which leads victims to a Google Doc containing an image resembling a fake video player with the sender's profile photo. Google Chrome users who click the link are redirected to a fake YouTube page, which prompts them to download a fake Chrome extension. If installed, it spreads malicious links to the victims' online friends.

Chrome was the browser highlighted in a blog post co-authored by Jacoby and Frans Rosén, security advisor at Detectify, who was also investigating the Facebook malware. The two determined it was clear Chrome was a targeted browser for spreading the attack to other victims; in other browsers, ads were displayed and adware was downloaded on the victim's machine.

Jacoby and Rosén found several Chrome extensions were used in this campaign. All were newly created with stolen code, and similar names, to legitimate extensions. Each contained obfuscated background script that would only fetch an external URL if installed from the Chrome Webstore. Locally installed versions would not trigger an attack.

"The script would like a page on Facebook that was hardcoded in the script," researchers explain. "This was most likely used by the attackers to count the amount of infected users by keeping an eye on the amount of likes on this page."

Indeed, when observed, the "like" count quickly rose from 8,900 at one point to 32,000 a few hours later.

Google Chrome's security team disabled all malicious extensions to stop the spread of attack as much as possible; however, attackers had stolen all the access tokens from victims' accounts. This means attackers can still access these profiles, even if victims have changed their passwords, signed out, or disabled platform settings.

"We are currently discussing this with Facebook," Jacoby and Rosén report, "but at the moment it seems like there is no simple way for a victim to revoke the token the attackers stole."

The Facebook attack heavily relied on realistic social interactions, dynamic user content, and legitimate domains to spread. Researchers advise users to be careful when letting extensions control the bowser, and know which extensions they are running in the browser.

Tip: In Chrome, you can write chrome://extensions/ in your URL field to see a list of enabled extensions.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2017 | 5:54:11 PM
Insta
Makes sense that the Instagram attacks only tended to target high-profile accounts. The damage one could do with the typical Instagram account is quite limited indeed (esp. w/ MFA).
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.