Things may not be what they seem to be

January 22, 2020 by J-Wire Newsdesk
Read on for article

That video or picture you “liked” on social media of a cute dog, your favourite team or political candidate can actually be altered in a cyberattack to something completely different, detrimental and potentially criminal, according to cybersecurity researchers at Israel’s Ben-Gurion University of the Negev (BGU).

There are no indications that the posts were modified!
Likes and comments are retained!

The researchers looked at seven online platforms and identified similar serious weaknesses in the management of the posting systems of Facebook, Twitter and LinkedIn. Twitter does not permit changes to posts and, normally, Facebook and LinkedIn indicate a post has been edited. But this new attack overrides that.

“Imagine watching and ‘liking’ a cute kitty video in your Facebook feed and a day later a friend calls to find out why you ‘liked’ a video of an ISIS execution,” says Dr. Rami Puzis, a researcher in the BGU Department of Software and Information Systems Engineering.

“You log back on and find that indeed there’s a ‘like’ there. The repercussions from indicating support by liking something you would never do (Biden vs. Trump, Australia vs. India, ISIS vs. Australia) from employers, friends, family, or government enforcement unaware of this social media scam can wreak havoc in just minutes.” See video of attack

In this new study, published on arXiv.org, the researchers explain how they penetrated individual profiles and groups in several experiments and how the Online Social Network (OSN) attack, dubbed “Chameleon,” can be executed. The attack involves maliciously changing the way content is displayed publicly without any indication whatsoever that it was changed until you log back on and see. The post still retains the same likes and comments. (Click here for Facebook demo. The picture and video of the candidate change every time you click on it or refresh the page within 30 to 60 seconds.)

“Adversaries can misuse Chameleon posts to launch multiple types of social network scams. First and foremost, social network Chameleons can be used for shaming or incrimination, as well as to facilitate the creation and management of fake profiles in social networks,” Dr. Puzis says.

“They can also be used to evade censorship and monitoring, in which a disguised post reveals its true self after being approved by a moderator. Chameleon posts can also be used to unfairly collect social capital (posts, likes, links, etc.) by first disguising itself as popular content and then revealing its true self and retaining the collected interactions.”

Facebook and LinkedIn partially mitigate the problem of modifications made to posts after their publication by displaying an indication that a post was edited. Other OSNs, such as Twitter or Instagram, do not allow published posts to be edited. Nevertheless, the major OSNs (Facebook, Twitter and LinkedIn) allow publishing redirect links, and they support link preview updates. This allows for changing the way a post is displayed without any indication that the target content of the URLs has been changed.

In Chameleon, first the attacker collects information about the victim, an individual. The attacker creates Chameleon posts or profiles that contain the redirect links and attracts the victim’s attention to the Chameleon posts and profiles, in a manner similar to phishing attacks. The Chameleon content builds trust within the OSN, collects social capital and interacts with the victims. This phase is very important for the success of targeted and untargeted Chameleon attacks. It is similar to a general cloaking attack on the Web, but the trust of users in the OSN lowers the attack barrier.

BGU researchers have notified LinkedIn, Twitter and Facebook about the identified misuse. Facebook and Twitter run open bug-bounty programs, which often pay significant sums for disclosing vulnerabilities with the purpose of bettering their systems and eliminating system bugs and malfunctions. LinkedIn has a closed team of white-hat hackers, but also accepts reports from outsiders without paying bounties.

Despite this significant issue, with wide-ranging consequences in a well-targeted attack, the responses from all three social networks are concerning, as far as protecting billions of platform users worldwide.

“Facebook responded that the reported issue ‘appears to describe a phishing attack against Facebook users and infrastructure’ and that ‘such issues do not qualify under our bug bounty program.’

Twitter acknowledged the problem and stated in an email, “This behaviour has been reported to us previously. While it may not be ideal, at this time, we do not believe this poses more of a risk than the ability to tweet a URL of any kind since the content of any web page may also change without warning.” Twitter relies on URL blacklisting implemented within their URL shortener to identify potentially harmful links and “warn users if they are navigating to a known malicious URL.”

The LinkedIn support team were willing to investigate this issue. After receiving further requested details they started their investigation on Dec 14, 2019. “We are waiting for updates any day now,” Dr. Puzis says.

To mitigate these issues, the BGU team recommends practitioners and researchers immediately identify potential Chameleon profiles throughout the OSNs, as well as develop and incorporate redirect reputation mechanisms into machine learning methods for identifying social network misuse. They should also include the Chameleon attack in security awareness programs alongside phishing scams and related scams.

“On social media today, people make judgments in seconds, so this is an issue that requires solving, especially before the upcoming U.S. election,” says Dr. Puzis.

The BGU researchers will present the Chameleon attack paper at The Web Conference in Taipei, Taiwan on April 20-24.

Speak Your Mind

Comments received without a full name will not be considered
Email addresses are NEVER published! All comments are moderated. J-Wire will publish considered comments by people who provide a real name and email address. Comments that are abusive, rude, defamatory or which contain offensive language will not be published

Got something to say about this?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from J-Wire

Subscribe now to keep reading and get access to the full archive.

Continue reading