Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:43 AM
Gadi Evron
Gadi Evron
Connect Directly

Yet Another Facebook Malware Evolution

Every once in a while I like to discuss the strategic view and how different players affect each other in the realm of cybercrime. This post is about the latest evolutionary development in the fight -- with Facebook malware.

Every once in a while I like to discuss the strategic view and how different players affect each other in the realm of cybercrime. This post is about the latest evolutionary development in the fight -- with Facebook malware.We have seen before how Facebook malware (and scams) try to lure the unsuspecting user to clicking on links, while at the same time obfuscating their activities as to not be detected by Facebook's security team.

The next phase in that evolution has happened. And much like other phases, we've seen it before in another time and place.

In 2004, botnets existed and were actively used for cybercrime activities. The security industry as a whole, save for a few individuals (including yours truly), were not aware of this threat or disregarded it as secondary.

What mattered was PR. The Year Of The Big Worms was behind us and with every new worm to be released into the wild, wilder claims would be sounded in the press, claiming the end of the world. In retrospect, while unplanned, this was as good as a campaign by the criminals to keep us in the industry busy with old technology while they make use of botnets.

Botnet was not an acknowledged term -- most of us called them Drone Armies back then. But the key issue is that these botnets performed the criminal activity a worm would, while making the shelf life of compromised computers much larger, as well as individual bots multipurpose rather than single-purpose.

And, indeed, history repeats itself, only with a different spin.

On Facebook, malware and scam activities always fight against time. They invent new tricks, and the Facebook security team responds in kind. Some of these tricks have grown to sophisticated complexity, while others are simply useless. While botnets were always used to operate fake Facebook profiles, they were not used separately for infection and scam.

In the past few weeks, we have seen more and more spam and scams on Facebook that don't actually infect the user -- thus drawing less of our attention. We keep looking for the worm, but it's not there.

What the criminals have done is divide their activities. On the one hand you have the botnet and infected users, all unrelated to Facebook. These then use Facebook on real users' computers to scam their friends. Their friends, in turn, may lose money in the scam, but will not get infected if they click the link/lure.

The difference is subtle, but key. By not infecting users on Facebook for their Facebook scams, the criminals have a lower profile and are much less interesting to Facebook security and the security industry.

In essence, the criminals, knowingly or not, have taken a page out of a security manual. They have reduced their risks by adding an extra layer, or hop, between them and their marks. Not only do they now draw less attention, it is also more difficult to discover, follow, and/or destroy these botnets because they are obfuscated behind the scenes. Don't get me wrong: Criminals have always used botnets on Facebook. This is a matter of type of usage and scale.

Ask any old timer in the industry, and he will tell you: "We've seen this before" -- in a different time, or place, or platform. This cyclical nature of our field is fascinating to me. It is always a new threat, a new platform, and a new technology. The challenge is to maintain our experience in between, and not just be tactically oriented.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron.

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-11
SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading to Information Disclosure.
PUBLISHED: 2019-12-11
SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and Information Disclosure.
PUBLISHED: 2019-12-11
SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability.
PUBLISHED: 2019-12-11
Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the web server, leading to Cross Site Request Forgery.
PUBLISHED: 2019-12-11
SAP Portfolio and Project Management, before versions S4CORE 102, 103, EPPM 100 and CPRXRPM 500_702, 600_740, 610_740; unintentionally allows a user to discover accounting information of the Projects in Project dashboard, leading to Information Disclosure.