The Twitter Underground Economy: A Blooming Business

— A study on Dealers, Abusers and fake Twitter Accounts by Jason Ding, Research Scientist Many people dream of becoming popular or famous, and Twitter provides an outlet to make this possible. Most Twitter users try the standard way to get popular and gain followers: constantly tweet funny quotes or comments, discuss breaking events, or disclose information that many people want (like Guy Adams did). However, some Twitter users look for unusual ways to make themselves appear more desirable and become popular faster. One of these ways is buying Twitter followers, which right or wrong, is a significantly growing trend. At Barracuda Labs, we consistently find and study fake profiles on social media platforms (reference our study on Facebook Fake Profiles at http://barracudalabs.com/fbinfographic/) in order to better protect our 150,000 customers from being phished or harmed. For the past 75 days, we have been investigating the business of trading Twitter followers on eBay and other websites searched from Google. As it turns out, this underground economy on Twitter is blooming! The results show that this Twitter business is growing very fast to form a series of underground markets. For quick snapshot, please refer to our most recent infographic, The Underground Economy of Buying Twitter Followers at http://barracudalabs.com/underground/. The Study As part of this study, beginning in May 2012, our team set up three Twitter accounts and purchased between 20,000 and 70,000 Twitter followers for each of them from eBay and another website searched from Google. After collecting these followers’ profiles via Twitter API, as well as additional information from eBay sellers and Google search results, we found many interesting highlights of this business, summarized as follows  into 3 categories. Dealers (those users who create fake accounts and sell followings): There are 20 eBay sellers and 58 websites (within top 100 returns of searching “buy twitter followers” in Google) where people can buy (fake) followers Twitter username is used to purchase, no authentication is required The average price of buying 1000 followers is $18 A...

read more

New Insights on Maliciousness in Top-ranked Domains

by Paul Royal, Research Consultant In March 2012, Barracuda Labs published its first report on observed maliciousness in Alexa top-ranked domains. This post continues that work and includes new measurements employed and the resulting discoveries made. As a concise introduction, Barracuda uses a number of different research technologies to identify maliciousness on the web. One of these tools employs automated means to force a browser within a Windows virtual machine to visit a website, then looks at the network-level actions of the system to determine whether a drive-by download occurred. Earlier this year, we began examining the Alexa top 25,000 most popular websites each day. Once a domain is identified as resulting in a drive-by download, we use properties of the Alexa rankings system to conservatively and accurately estimate the number of users served malicious content, as well as the subset that were likely compromised. Granular details of this process are provided in our previous report. We look at some of the same items in this study, but also delve further into the data to examine recurring maliciousness for a given domain, the use of ad networks as entry points to drive-by downloads, and the use of Java in exploit sites. For the statistics we reexamine, the numbers for May 2012 affirm the observations made earlier. In May 2012, 39 of the Alexa top 25,000 websites, when visited, served drive-by downloads for at least one day. Over 7.8 million users were served malicious content; of these users, over 1.2 million were likely compromised. At least one Alexa top-ranked domain served malicious content 26 (or 83.8%) of the days in May. The sites involved spanned 13 countries, and once again, over 97% of the sites were at least one year old. One of the new measurements we conducted takes a first look at recurring maliciousness. Of the 39 top-ranked domains found to result in drive-by downloads in May 2012, 11 (or 28%) yielded malicious content for more than one day. In the case of Herald Media’s news portal (heraldm.com, discussed separately),...

read more

Maliciousness in Top-ranked Alexa Domains

by Paul Royal, Research Consultant For the infographic associated with this post, see http://www.barracudalabs.com/goodsitesbad. At Barracuda Labs, we use a variety of research technologies to identify and study maliciousness on the web. One of these tools is an automated system that forces a web browser inside a Windows virtual machine to visit a URL to see what happens to the browser, its plugins, and the operating system. The resulting network-level actions of the virtual machine help us determine, without prior knowledge of specific exploits served to the browser or its extensions, whether a URL serves malicious content. A few months ago we began using the above-described system to examine the Alexa 25,000 most popular domains. As these sites are popular and long-lived, many people assume that it is safe to visit them. However, automated examination of the Alexa top 25,000 each day for the month of February 2012-which found 58 sites serving drive-by download exploits-shows that this assumption does not always hold. While Alexa does not publish the total number of page views it uses to determine site rankings, there exists sufficient information to determine that number. As an example, Wikipedia, which represented ~0.54% of total Alexa views in February 2012, reported ~15.75 billion views for the previous month. Working backwards, we can thus calculate that Alexa used an average of (15,756 * 1,000,000)/(29 * (0.5416/100)) = ~100.31 billion views each day to rank the popularity of websites. Using the above number, we can calculate the affected views for a given site in a 24-hour period. As an example, free-tv-video-online[.]me, which via an ad network served visitors malicious content on February 13, represented ~0.0053% of the total Alexa views, which yields 5,366,895 affected views for that day. However, to estimate how many users were served exploit content, this number must be adjusted to account for the average number of views per user. Fortunately, Alexa makes this information available. Continuing with the example, free-tv-video-online[.]me has an average of 7.2 views per user. Thus, for this...

read more

Attackers Use Fake Friends to Blend into Facebook

FOR IMMEDIATE RELEASE Attackers Use Fake Friends to Blend into Facebook Barracuda Labs Unveils New Research Study Analyzing Facebook Profiles View the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/. Campbell, Calif. (February 2, 2012) – Barracuda Networks, a leading provider of security, networking and data protection solutions, today released findings from Barracuda Labs’ most recent study, Facebook: Fake Profiles vs. Real Users. The study analyzes a random sampling of 2,884 active Facebook accounts to identify key differences between average real user accounts and fake accounts created by attackers and spammers. The results of the study are being presented today at the 2012 Kaspersky Threatpost Security Analyst Summit in Cancun, Mexico. Facebook, which filed for IPO this week, has become an important part of personal and business communication. The company consistently fights to keep attackers out of its network, most recently announcing its lawsuit against a marketing firm accused of “spreading spam through misleading and deceptive tactics”. The Barracuda Labs study provides yet another example of this “arms race” as an increasing number of attackers move to social networks to carry out their wares. Highlighted findings from the Barracuda Labs study include: •    Almost 60 percent of fake accounts claim to be bisexual, 10 times more than real users •    Fake accounts have six times more friends than real users, 726 versus 130 •    Fake accounts use photo tags over 100 times more than real users, 136 tags per four photos versus one tag per four photos •    Fake accounts almost always (97 percent) claim to be female, as opposed to 40 percent for real users “Likes, News Feeds and Apps have helped lead Facebook to its social network dominance and now attackers are harnessing those same features to efficiently scale their efforts,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “These fake profiles and apps give attackers a long-lived path to continuously present malicious links to innocent users. “Also, researchers have shown how friending malicious accounts can lead to account...

read more

The more connected the more vulnerable

by Daniel Peck, Research Scientist The Facebook data team released some interesting data a few days ago focusing on the connectedness of their social graph, taking six degrees of Kevin Bacon and looking at how many connections away from each other any two people on the network are. From their research it seems like more than 90% of people on the network are seperated by only four degrees, meaning that any person A has a friend that knows a friend of Person B. Interesting in and of itself this shows how social networking is used to connect to people with whom you have very little in common, perhaps enjoying similar music, enjoying the same food, or like the same apps/games on Facebook.  Something like mini ad-hoc Farmville Fan Clubs.  And that is neat, the more connected we are to one another then maybe the more we’ll understand each other. That said, this amount of connectedness has a price in the realm of trust, especially with regards to anomaly detection and behavioral classifying. The network doesn’t distinguish the levels of trust/friendship that we have in the real world.  This is likely a neccessary level of abstraction, and we don’t have a leaderboard of friends trust levels, but you have an internal model that allows you to weigh “truths” differently based on whether it came from a long time friend versus someone you met because you attended a one day class together. Software can’t know these levels, at least not without an unreasonable level of training from the user, so for the purposes of behavioral classification it has to use more derived variables, like connectedness, on the social graph.  As this collapses these variables become less valuable, and may introduce false levels of trust within your real circle of friends.  We’ve seen this become increasingly popular with spammers working through fake accounts.  Usually the steps go something like this: An account is created with a profile listing that they went to “Generic State U” A few...

read more

Barracuda Labs Releases 2011 Social Networking Security and Privacy Study

By: Barracuda Labs For Immediate Release NINE OUT OF 10 PEOPLE ATTACKED AND ONE OUT OF FIVE PEOPLE DAMAGED BY PRIVACY LAPSE ON SOCIAL NETWORKS Barracuda Labs Releases 2011 Social Networking Security & Privacy Study View the Infographic – http://www.barracudalabs.com/SNS View the Report – http://www.barracudalabs.com/SNSreport Campbell, Calif. (Oct. 12, 2011) – Barracuda Labs today released its 2011 Social Networking Security & Privacy Study. The complete study and infographic can be seen at www.barracudalabs.com. Barracuda Labs is the research arm of Barracuda Networks Inc., the leading provider of security, application delivery and data protection solutions to businesses. “Social networks are a significant part of how we communicate with one another. At the same time, the dangers associated with social networking have climbed exponentially,” said Dr. Paul Judge, chief research officer and vice president for Barracuda Networks. “The fact that nine out of 10 users already have been attacked proves that attackers are taking over social networks and users are living in fear.” The study focuses on social networking usage, security and privacy, and is based on survey results from hundreds of users representing over 20 countries. The study was conducted over a two-week span between September and October 2011. Overall, users value security and privacy almost equally to popularity and ease of use. Major highlights from the study are included below. Social Networking Usage LinkedIn is the most accepted social network by businesses with only 20 percent of companies blocking or limiting its usage, as compared to 31 percent of companies that block or limit Facebook. Social Networking Security Nine out of 10 people have received spam, and one in four have received a virus or malware, on a social network. Social Networking Privacy One in five people has been negatively affected by information that was exposed on a social network. 2011 Social Networking Security & Privacy Study – Resources: Infographic – http://www.barracudalabs.com/SNS Report – http://www.barracudalabs.com/SNSreport   About Barracuda Labs Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical...

read more