Online Social Networks (OSNs) are increasingly being used to distribute malware, warez, and unsolicited tools, and act as launch pads for third-party applications to scrape users’ data on the fly. Recently, attackers have also begun to exploit tools that were designed to extract data from OSNs for marketing purposes. The tools are used to gain access to the account of a primary user and then crawl across all the other users present in the primary user’s network. They can then be used to exploit inherent flaws in OSNs to conduct unauthorized activity in the profiles.
What grounds should OSNs allow the extraction of data? From a data privacy point of view, that’s the biggest question. The answer is that OSNs are inherently prone to chain exploitation since the networks are built around users. The design complexity from a security point of view revolves around on the state of data transactions among different users and associated privacy controls. Considering the design of OSNs, securing data and maintaining privacy in them is a huge challenge.
Recently, we have been noticing that compromised user accounts in cloud storage apps are being used to host and distribute malicious code. In this blog post, we will look at a malicious tool named Auto Facebook Marketer, an executable file that was found to be hosted and distributed via MS OneDrive using cloud. The tool name highlights that the executable might be performing some unauthorized operations such as ad-injection from the end-user machine.
Users can download this file if they have the URL. Originally, this data scraping tool was designed to extract data from Facebook profiles for marketing and other legitimate purposes where users are looking to determine users’ preferences, customize advertisements, etc.
In order to fully understand how the functionality of the tool can be exploited for nefarious purposes, we conducted a series of tests in a controlled environment. A notification window is shown below which highlights the properties of the executable. The Original filename parameter has a value of bot.exe.
As the name of the executable implies, Auto Facebook Marketer.exe, it is designed to perform some automated operations in the user’s Facebook account. It enables users to scrape data out of any Facebook account once credentials or profile information are provided. The screenshot presented below highlights the different details visible to users that enables them to start scraping data. The tool also has embedded browsing functionality.
The screenshot below highlights how the tool can search for the specific pages, people, and groups associated with a specific user profile.
The tool also provides the ability to search and find profile URLs that are shared among the primary user’s peers and friends. The screenshot presented below reflects that option.
The tool can also automatically post the messages on the user’s behalf as shown below.
These types of tools are designed to mine the data from Facebook profiles on the fly, thereby using the obtained information for business specific tasks such as distributing targeted advertisements. Unfortunately, the application also has potential as a hacking tool.
Detection and Protection
The next question that needs to be asked is, can these types of tools be detected if shared via cloud apps to restrict the distribution? The answer is yes. CloudSOCs built in detection and prevention engine can quickly and easily do this job. The CloudSOC content scanning engine detects these types of threats and enforces policies that can also trigger prevention controls. The screenshot presented below shows how CloudSOC can detect the distribution of these tools via O365.
Detecting and prevention of suspicious binaries and executable should be treated with utmost importance when the security posture of cloud apps is analyzed in the enterprise environment. The enterprises should have detection and prevention platform in place to restrict the distribution and sharing of suspicious (or malicious) file via cloud apps.
If you found this information useful, you may enjoy this blog by Samir Kapuria:
We encourage you to share your thoughts on your favorite social platform.