Posted: 3 Min ReadProduct Insights

CloudSOC Detection and Prevention Mode

Auto Marketing Facebook Data Scraper Tool Distributed via OneDrive

Online Social Networks (OSNs) are increasingly being used to distribute malware, warez, and unsolicited tools,  and act as launch pads for third-party applications to scrape users’ data on the fly. Recently, attackers have also begun to exploit tools that were designed to extract data from OSNs for marketing purposes. The tools are used to gain access to the account of  a primary user and then crawl across all the other users present in the primary user’s network. They can then be used to exploit inherent flaws in OSNs to conduct unauthorized activity in the profiles.

What grounds should OSNs allow the extraction of data? From a data privacy point of view, that’s the biggest question. The answer is that OSNs are inherently prone to chain exploitation since the networks are built around users. The design complexity from a security point of view revolves around on the state of data transactions among different users and associated privacy controls. Considering the design of OSNs, securing data and maintaining privacy in them is a huge challenge. 

Recently, we have been noticing that compromised user accounts in cloud storage apps are being used to host and distribute malicious code. In this blog post, we will look at  a malicious tool named Auto Facebook Marketer, an executable file that was found to be hosted and distributed via MS OneDrive using cloud. The tool name highlights that the executable might be performing some unauthorized operations such as ad-injection from the end-user machine.

Analysis

The screenshot below shows an executable file hosted on OneDrive that is publicly accessible.
The screenshot below shows an executable file hosted on OneDrive that is publicly accessible.

Users can download this file if they have the URL. Originally, this data scraping tool was designed  to extract data from Facebook profiles for marketing and other legitimate purposes where users are looking to  determine users’ preferences, customize advertisements, etc.

In order to fully understand how the functionality of the tool can be exploited for nefarious purposes, we conducted a series of tests in a controlled environment.  A notification  window is shown below which highlights the properties of the executable. The Original filename parameter has a value of bot.exe.

As the name of the executable implies, Auto Facebook Marketer.exe, it is designed to perform some automated operations in the user’s Facebook account. It enables users to scrape data out of any Facebook account once credentials or profile information are provided.  The screenshot presented below highlights the different details visible to users that enables them to start scraping data. The tool also has embedded browsing functionality.

The screenshot below highlights how the tool can search for the specific pages, people, and groups associated with a specific user profile.

The tool also provides the ability to search and find profile URLs that are shared among the primary user’s peers and friends. The screenshot presented below reflects that option.

The tool can also automatically post the messages on the user’s behalf as shown below.

These types of tools are designed to mine the data from Facebook profiles on the fly, thereby using the obtained information for business specific tasks such as distributing targeted advertisements. Unfortunately, the application also has potential as a hacking tool.

Detection and Protection

The next question that needs to be asked is, can these types of tools be detected if shared via cloud apps to restrict the distribution? The answer is yes. CloudSOCs built in detection and prevention engine can quickly and easily do this job.   The CloudSOC content scanning engine detects these types of threats and enforces policies that  can also trigger  prevention controls. The screenshot presented below shows how CloudSOC can detect the distribution of these tools via O365.

Conclusion

Detecting and prevention of suspicious binaries and executable should be treated with utmost importance when the security posture of cloud apps is analyzed in the enterprise environment. The enterprises should have detection and prevention platform in place to restrict the distribution and sharing of suspicious (or malicious) file via cloud apps.

If you found this information useful, you may enjoy this blog by Samir Kapuria: 

The World's Third Largest Economy Continues to Grow and So Does Our Japanese Cyber Operations

About the Author

Aditya K Sood

Director of Security, Cloud Security

Aditya K. Sood is a director of cloud security at Symantec. Dr. Sood has research interests in cloud security, malware automation and analysis, application security and secure software design.

About the Author

Rehan Jalil

Senior Vice President and General Manager, Cloud Security

Rehan Jalil is senior vice president and general manager for Cloud Security at Symantec, leading cloud research and development and helping extend the reach of Symantec enterprise security products to the cloud.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.