Think all you have to worry about when you log into Twitter, Facebook or FourSquare is the threat of an annoying spam attack, a viral worm or the release of your private information? Think again, and take caution. Sophisticated hackers are now using social networking sites as home base to launch targeted attacks, according to a new report from security firm Mandiant.
Mandiant’s annual “M-Trends” report, says the company has observed an increasing number of “Advanced Persistent Threats” that are hijacking legitimate social networks and Web based services, including Facebook, Google Chat and MSN as command and control networks for malware installations.
Mandiant warned APT attackers will, in the future, “increasingly leverage the broad array” of social networking sites to conduct their operations because they are widely available, offer anonymity and provide more versatility.
More ominously, the report uncovered a larger trend where sophisticated attacks on commercial entities now outstrip attacks on even the networks of government agencies and defense industry players.
“They target vulnerable people more often than they target vulnerable systems,” Mandiant researchers wrote.
Examples of the trend, and dangers, cited in the study include a downloader program that used Facebook’s internal messaging feature for C&C activities, as well as Trojans that opened backdoors that opened backdoors on victim computers through MSN and Google Chat services for C&C communications.
Other backdoor Trojans searched for and executed C&C instructions that were embedded inside HTML comments on compromised Web pages, such as a blog, and a malware tool that stole data from the compromised computer and sent files using Hotmail.
“In each of these cases, the attackers effectively camouflaged their remote access as normal SSL-encrypted traffic to popular Internet sites. These techniques were resilient to both packet inspection and netflow anomaly analysis”, says the report.
E-mail “spear phishing” campaigns using infected ZIP, PDF, Word and Excel files were the most common, and singled out as the “weapon of choice” for infiltrating social networks in the report.
APT attackers, as defined in the report, maintain their presence within a compromised network, and once removed, repeatedly seek to regain access. They also have a clear idea of the kind of victims they are looking for, operating as a group that target government, defense organizations, and financial, marketing and research industries.
According to Mandiant, the takeaway from the study is clear: organizations cannot rely solely on standard network monitoring to sufficiently detect and respond to the threats, but must take extra steps to make it difficult for the APT intruders to stay in the breached network, ultimately making them “too expensive” to attack.
“Understanding the full dimensions of a malicious attack makes recovery easier, while a hasty response can allow some compromised assets to go undetected,” the report concludes.