Friend-inthe-middle Attacks Technical Report TR-SBA-Research-0710-01

In the ongoing arms race between spammers and the multimillion dollar anti-spam industry, the number of unsolicited e-mail messages (better known as “spam”) and phishing has increased heavily in the last decade. In this paper, we show that our novel friend-in-the-middle attack on social networking sites (SNSs) can be used to harvest social data in an automated fashion. This social data can then be exploited for large-scale attacks such as context-aware spam and social-phishing. We prove the feasibility of our attack exemplarily on Facebook and identify possible consequences based on a mathematical model and simulations. Alarmingly, all major SNSs are vulnerable to our attack as they fail to secure the network layer appropriately.

[1]  Béla Bollobás,et al.  Random Graphs , 1985 .

[2]  Minas Gjoka,et al.  Walking in Facebook: A Case Study of Unbiased Sampling of OSNs , 2010, 2010 Proceedings IEEE INFOCOM.

[3]  H E Stanley,et al.  Classes of small-world networks. , 2000, Proceedings of the National Academy of Sciences of the United States of America.

[4]  Chris Kanich,et al.  On the Spam Campaign Trail , 2008, LEET.

[5]  Alessandro Acquisti,et al.  Information revelation and privacy in online social networks , 2005, WPES '05.

[6]  Henry Stern,et al.  A Survey of Modern Spam Tools , 2008, CEAS.

[7]  Xubin He,et al.  A Performance Analysis of Secure HTTP Protocol , 2003 .

[8]  Nikita Borisov,et al.  FlyByNight: mitigating the privacy risks of social networking , 2008, WPES '08.

[9]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[10]  Cormac Herley,et al.  A profitless endeavor: phishing as tragedy of the commons , 2009, NSPW '08.

[11]  M. E. J. Newman,et al.  Power laws, Pareto distributions and Zipf's law , 2005 .

[12]  Frank Stajano,et al.  Eight friends are enough: social graph approximation via public listings , 2009, SNS '09.

[13]  Chen-Nee Chuah,et al.  Unveiling facebook: a measurement study of social network based applications , 2008, IMC '08.

[14]  Rajeev Motwani,et al.  Link Privacy in Social Networks , 2008, ICDE.

[15]  M. Newman Power laws, Pareto distributions and Zipf's law , 2005 .

[16]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2008, CCS.

[17]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[18]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[19]  Sharon L. Milgram,et al.  The Small World Problem , 1967 .

[20]  Duncan J. Watts,et al.  Collective dynamics of ‘small-world’ networks , 1998, Nature.

[21]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[22]  César A. Hidalgo,et al.  Scale-free networks , 2008, Scholarpedia.

[23]  Stewart Kowalski,et al.  Towards Automating Social Engineering Using Social Networking Sites , 2009, 2009 International Conference on Computational Science and Engineering.

[24]  A. Rapoport Contribution to the theory of random and biased nets , 1957 .

[25]  Kevin Borders,et al.  Social networks and context-aware spam , 2008, CSCW.

[26]  Meng Weng Wong,et al.  Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1 , 2006, RFC.

[27]  A. Raftery,et al.  Model‐based clustering for social networks , 2007 .

[28]  Mark Newman,et al.  Models of the Small World , 2000 .

[29]  Ajay Mehra The Development of Social Network Analysis: A Study in the Sociology of Science , 2005 .

[30]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[31]  Albert-László Barabási,et al.  Statistical mechanics of complex networks , 2001, ArXiv.

[32]  B. J. Fogg,et al.  Online Persuasion in Facebook and Mixi: A Cross-Cultural Comparison , 2008, PERSUASIVE.

[33]  Svante Janson,et al.  Random graphs , 2000, ZOR Methods Model. Oper. Res..

[34]  Scott A. Golder,et al.  Security Issues and Recommendations for Online Social Networks. , 2007 .

[35]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[36]  Qi Xie,et al.  FaceCloak: An Architecture for User Privacy on Social Networking Sites , 2009, 2009 International Conference on Computational Science and Engineering.