research-article

All your contacts are belong to us: automated identity theft attacks on social networks

Authors:

Thorsten Strufe,

Davide Balzarotti,

Engin KirdaAuthors Info & Claims

WWW '09: Proceedings of the 18th international conference on World wide web

Pages 551 - 560

https://doi.org/10.1145/1526709.1526784

Published: 20 April 2009 Publication History

Abstract

Social networking sites have been increasingly gaining popularity. Well-known sites such as Facebook have been reporting growth rates as high as 3% per week. Many social networking sites have millions of registered users who use these sites to share photographs, contact long-lost friends, establish new business contacts and to keep in touch. In this paper, we investigate how easy it would be for a potential attacker to launch automated crawling and identity theft attacks against a number of popular social networking sites in order to gain access to a large volume of personal user information. The first attack we present is the automated identity theft of existing user profiles and sending of friend requests to the contacts of the cloned victim. The hope, from the attacker's point of view, is that the contacted users simply trust and accept the friend request. By establishing a friendship relationship with the contacts of a victim, the attacker is able to access the sensitive personal information provided by them. In the second, more advanced attack we present, we show that it is effective and feasible to launch an automated, cross-site profile cloning attack. In this attack, we are able to automatically create a forged profile in a network where the victim is not registered yet and contact the victim's friends who are registered on both networks. Our experimental results with real users show that the automated attacks we present are effective and feasible in practice.

References

[1]

Modeling and Preventing Phishing Attacks. http://www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf, 2005.

[2]

Spear phishing: Highly targeted phishing scams. http://www.microsoft.com/protect/yourself/phishing/spear.mspx, 2006.

[3]

CERT Advisory CA-2000-04 Love Letter Worm. http://www.cert.org/advisories/CA-2000-04.html, 2008.

[4]

Facebook. http://www.facebook.com, 2008.

[5]

Facebook by the Numbers. http://www.fastcompany.com/magazine/115/open_features-hacker-dropout-ceo-facebook-numbers.html, 2008.

[6]

LinkedIn. http://www.linkedin.com, 2008.

[7]

MeinVerzeichnis -- MeinVZ. http://www.meinvz.net/,2008.

[8]

MySpace. http://www.myspace.com, 2008.

[9]

New MySpace and Facebook Worm Target Social Networks. http://www.darknet.org.uk/2008/08/new-myspace-and-facebook-worm-target-social-networks, 2008.

[10]

Sophos Facebook ID Probe.http://www.sophos.com/pressoffice/news/articles/2007/08/facebook.html, 2008.

[11]

StudiVerzeichnis -- StudVZ. http://www.studivz.net, 2008.

[12]

The Spamhaus Project. http://www.spamhaus.org/, 2008.

[13]

Xing -- Global Networking for Professionals. http://www.xing.com, 2008.

[14]

S. D. Berkowitz. An Introduction to Structural Analysis: The Network Approach to Social Research. Butterworth, Toronto, ISBN 0409813621, 1982.

[15]

S. Boyd, A. Ghosh, B. Prabhakar, and D. Shah. Gossip algorithms: Design, analysis and applications. In IEEE INFOCOM, 2005.

[16]

Carnegie Mellon University. The CAPTCHA Project. http://www.captcha.net.

[17]

J. R. Douceur. The Sybil Attack. In Electronic Proceedings for the 1st International Workshop on Peer-to-Peer Systems (IPTPS '02), March 2002.

Digital Library

[18]

A. D. Flaxman. Expansion and lack thereof in randomly perturbed graphs. Manuscript under submission, 2006.

[19]

ImageMagick. Introduction to ImageMagick. http://www.imagemagick.org/script/index.php.

[20]

T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Commun. ACM, 50(10):94--100, 2007.

Digital Library

[21]

C. Karlberger, G. Bayler, C. Kruegel, and E. Kirda. Exploiting Redundancy in Natural Language to Penetrate Bayesian Spam Filters. In First USENIX Workshop on Oýensive Technologies (WOOT '07), Boston, MA, August 2007.

Digital Library

[22]

kloover.com. Breaking the ASP Security Image Generator. http://www.kloover.com/2008/02/28/breaking-the-asp-security-image-generator/.

[23]

V. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Doklady Physics, 10(8):707--710, 1966.

[24]

S. Mori, C. Y. Suen, and K. Yamamoto. Historical review of OCR research and development. Document image analysis, pages 244--273, 1995.

Digital Library

[25]

S. Moyer and N. Hamiel. Satan is on My Friends List: Attacking Social Networks. http://www.blackhat.com/html/bh-usa-08/bh-usa-08-archive.html, 2008.

[26]

PWNtcha. PWNtcha -- captcha decoder. http://sam.zoy.org/pwntcha/.

[27]

Tesseract. Tesseract OCR. http://sourceforge.net/projects/tesseract-ocr.

[28]

L. von Ahn, B. Maurer, C. McMillen, D. Abraham, and M. Blum. reCAPTCHA: Human-Based Character Recognition via Web Security Measures. Science, September 2008.

[29]

H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman. SybilGuard: Defending Against Sybil Attacks via Social Networks. 2006.

[30]

H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman. SybilLimit: A Near-Optimal Social Network Defense against Sybil Attacks. In IEEE Symposium on Security and Privacy, 2008.

Digital Library

Cited By

Kurde ASingh S(2024)Next-Generation Technologies for Secure Future Communication-based Social-Media 3.0 and Smart EnvironmentIECE Transactions on Sensing, Communication, and Control10.62762/TSCC.2024.3228981:2(101-125)Online publication date: 27-Nov-2024
https://doi.org/10.62762/TSCC.2024.322898
Zineddine ABelfaik YSadqi Y(2024)A Deep Dive Into Cybersecurity Risk Assessment and Countermeasures in Online Social NetworksRisk Assessment and Countermeasures for Cybersecurity10.4018/979-8-3693-2691-6.ch001(1-19)Online publication date: 31-May-2024
https://doi.org/10.4018/979-8-3693-2691-6.ch001
Rheault ENerayo MLeonard JKolenbrander JHenshaw CBoswell MMichaels A(2024)Use and Abuse of Personal Information, Part I: Design of a Scalable OSINT Collection EngineJournal of Cybersecurity and Privacy10.3390/jcp40300274:3(572-593)Online publication date: 13-Aug-2024
https://doi.org/10.3390/jcp4030027
Show More Cited By

Index Terms

All your contacts are belong to us: automated identity theft attacks on social networks
1. Information systems
2. Software and its engineering

Recommendations

All your face are belong to us: breaking Facebook's social authentication
ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

Two-factor authentication is widely used by high-value services to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication, which ...
Analysis of a social engineering threat to information security exacerbated by vulnerabilities exposed through the inherent nature of social networking websites
InfoSecCD '09: 2009 Information Security Curriculum Development Conference

Social engineering is defined as "a process in which an attacker attempts to acquire information about your network and system by social means." Social networking websites are those where one person creates a message and presents it to an audience, ...
Enhancing and identifying cloning attacks in online social networks
ICUIMC '13: Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication

Recently Online Social Networks (OSNs) are enjoying a continuous boom, while suffering from omnifarious malicious attacks. Cloning attack is one of the attack patterns towards online social networks, where typically the attacker disguises fake accounts ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '09: Proceedings of the 18th international conference on World wide web

April 2009

1280 pages

ISBN:9781605584874

DOI:10.1145/1526709

General Chairs:
Juan Quemada
DIT-UPM
,
Gonzalo León
DIT-UPM
,
Program Chairs:
Yoelle Maarek
Google Inc., Israel
,
Wolfgang Nejdl
L3S and Hannover University

Copyright © 2009 IW3C2 org.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 April 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW '09

Sponsor:

WWW '09: The 18th International World Wide Web Conference

April 20 - 24, 2009

Madrid, Spain

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

368
Total Citations
View Citations
5,531
Total Downloads

Downloads (Last 12 months)88
Downloads (Last 6 weeks)3

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kurde ASingh S(2024)Next-Generation Technologies for Secure Future Communication-based Social-Media 3.0 and Smart EnvironmentIECE Transactions on Sensing, Communication, and Control10.62762/TSCC.2024.3228981:2(101-125)Online publication date: 27-Nov-2024
https://doi.org/10.62762/TSCC.2024.322898
Zineddine ABelfaik YSadqi Y(2024)A Deep Dive Into Cybersecurity Risk Assessment and Countermeasures in Online Social NetworksRisk Assessment and Countermeasures for Cybersecurity10.4018/979-8-3693-2691-6.ch001(1-19)Online publication date: 31-May-2024
https://doi.org/10.4018/979-8-3693-2691-6.ch001
Rheault ENerayo MLeonard JKolenbrander JHenshaw CBoswell MMichaels A(2024)Use and Abuse of Personal Information, Part I: Design of a Scalable OSINT Collection EngineJournal of Cybersecurity and Privacy10.3390/jcp40300274:3(572-593)Online publication date: 13-Aug-2024
https://doi.org/10.3390/jcp4030027
Kolenbrander JHusmann EHenshaw CRheault EBoswell MMichaels A(2024)Use & Abuse of Personal Information, Part II: Robust Generation of Fake IDs for Privacy ExperimentationJournal of Cybersecurity and Privacy10.3390/jcp40300264:3(546-571)Online publication date: 11-Aug-2024
https://doi.org/10.3390/jcp4030026
Gao MChen SGao YZhang ZChen YLi YYe QWang XChen Y(2024)Detecting compromised accounts caused by phone number recycling on e-commerce platforms: taking Meituan as an example电子商务平台 “二次放号” 被盗账号检测研究: 以美团为例Frontiers of Information Technology & Electronic Engineering10.1631/FITEE.230029125:8(1077-1095)Online publication date: 30-Aug-2024
https://doi.org/10.1631/FITEE.2300291
Lepipas ABorovykh ADemetriou SQuek TGao DZhou JCardenas A(2024)Username Squatting on Online Social Networks: A Study on XProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637637(621-637)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637637
Bakirtas SErkip E(2024)Database Matching Under Noisy Synchronization ErrorsIEEE Transactions on Information Theory10.1109/TIT.2024.338899070:6(4335-4367)Online publication date: Jun-2024
https://doi.org/10.1109/TIT.2024.3388990
Berdychowski MSalinas Monroy S(2024)Automated Detection of Masquerade Attacks with AI and Decoy Documents2024 Cyber Awareness and Research Symposium (CARS)10.1109/CARS61786.2024.10778670(1-6)Online publication date: 28-Oct-2024
https://doi.org/10.1109/CARS61786.2024.10778670
Mossano MVolkamer M(2024)Literature Review: Misconceptions About PhishingHuman Aspects of Information Security and Assurance10.1007/978-3-031-72559-3_15(215-228)Online publication date: 28-Nov-2024
https://doi.org/10.1007/978-3-031-72559-3_15
Schultenkämper SBäumer F(2024)Privacy Risks in German Patient Forums: A NER-Based Approach to Enrich Digital TwinsInformation and Software Technologies10.1007/978-3-031-48981-5_9(113-123)Online publication date: 10-Jan-2024
https://doi.org/10.1007/978-3-031-48981-5_9
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents