Part of being able to combat malware, phishing, and other online threats is gathering and consolidating as much data on those threats as possible, and Facebook took a major step forward on that front with its development of ThreatData.
Facebook described ThreatData as “a framework for importing information about badness on the Internet in arbitrary formats, storing it efficiently, and making it accessible for both real-time defensive systems and long-term analysis,” and it described the motivation behind it:
Helping keep the Internet free of threats is a huge challenge that has never been more important. For us to do our part effectively, we must continually search for new types of attacks and deeply understand existing ones. Given the pace of criminals today, one of the hard parts is actually keeping track of all the data related to malware, phishing, and other risks. We wanted an easier way to organize our work and incorporate new threat information we receive so that we can do more to protect people.
The social network added that the framework behind ThreatData is made up of three components: feeds, data storage, and real-time response.
Facebook also provided an example of ThreatData in action:
In the summer of 2013, we noticed a spike in malware samples containing the string “J2ME” in the anti-virus signature. Further investigation revealed a spam campaign using fake Facebook accounts to send links to malware designed for feature phones. The malware — specifically the Trojan:J2ME/Boxer family — was capable of stealing a victim’s address book, sending premium SMS spam, and using the phone’s camera to take pictures. With this discovery, we were able to analyze the malware, disrupt the spam campaign, and work with partners to disrupt the botnet’s infrastructure. Below is a chart of a similar campaign attempted in December 2013.
For much more on the nuts and bolts behind ThreatData, please see the note on the Protect the Graph page.
Readers: What are your thoughts on ThreatData?