On-line scammers use various venues to social-engineer their victims into compliance. Email has been the most popular platform for such interactions. Scammers have also been known to chat with their victims using "traditional" instant messaging networks, such as Yahoo! Messenger and Google Talk. As people increasingly turn to social networking sites for their interactions, so do the scammers.
How might scammers use automated chat bots to social engineer users on social networking sites? How might we prepare to deal with smart chat bots?
Non-Automated Scam Chats on Social Networks
With low-cost labor available throughout the world, scammers can employ humans for chatting with victims while keeping their costs relatively low. One example of this was documented by Rakesh Agrawal, who described the classic "I'm stuck in London scam"” that was conducted via Facebook chat. The scammer used a compromised Facebook account in an attempt to solicit emergency funds from the victim’s friend. Here’s an excerpt from the chat transcript:
Matt: hi. whats up?
Rakesh: Hi Matt. Everything OK?
Matt: well,im really stuck here in london. i had to visit a resort here in london and i got robbed at the hotel im staying
The scammer was using Matt's Facebook account and, as far as I can tell, was a human being. However, such interactions could have easily been automated using a chat bot.
Automating Scam Interactions Using Chat Bots
The idea of chat bots is an old one, dating back to early implementations of ELIZA. According to Wikipedia, its most famous implementation was DOCTOR, which simulated human-like interactions with a psychotherapist. A scammer could use similar software to automate the bot’s chat interactions with victims. Though I haven’t witnessed an elaborate level of engagement by bots on social networking sites, attackers are starting to automate some aspects of Facebook chats.
For instance, a SANS Internet Storm Center reader reported receiving a Facebook chat message from a friend that started with "Hey [Name] you got a second?". When the person responded, the bot replied with "I can't score higher than 600 on the quiz, do you think you can?" and provided a link to a suspicious site. (For a transcript of a similar chat and more thoughts on chat bots, take a look at Chat Bots, Rise of the Cyborgs by Rik Ferguson.)
Along these lines, Chester Wisniewski outlined a network worm that was spreading on Facebook by using chat to distribute malicious links.
Perhaps more interestingly, here's an example of an AOL Instant Messenger bot that is a bit more advanced in its chatting abilities. This was reported on a discussion forum:
friend: what ya up to
victim: not much
victim: i got minecraft!
friend: you have to see this best buy is giving away giftcards still for a couple of days
victim: i live in germany
friend: if you hurry you can still get one i just signed up for mine its awesome look at this hxxp://bestuygiveaway.co.tv
The bot seems to be using a compromised AOL Instant Messenger account of the victim’s friend to social-engineer the person into visiting bestuygiveaway.co.tv.
It’s relatively easy to create a chat bot that is much more intelligent than the examples I've shown here. One of many ways to accomplish this is to use Pandorabots, which is an experimental (non-malicious) free chat bot hosting service.
A bot can easily tap into the Facebook chat platform, because Facebook supports commonly-used Jabber/XMPP protocol. To see how quickly someone can create a simple Facebook chat bot, take a look at the instructions published by Abhinav Singh.
How to Prepare for Dealing with Smarter Chat Bots
Though I haven't seen particularly smart chat bots trolling social networks yet, it's only a matter of time before scammers invest into more intelligent bots that are hard to distinguish from humans. With this in mind, it might be worth educating end-users that attackers may be able to use compromised social network accounts for malicious chats. Also, perhaps some day we will have tools that:
- Identify anomalies in the timing, word usage, grammar and other message characteristics to flag suspicious chat interactions.
- Interrupt a a chat conversation to warn the end-user when he might be the subject of a scam.
- Alert when phrases known to be used by malicious chat bots come up in a chat conversation.
Intelligent chat bots on social networks aren't an issue at the moment, as far as I know. However, I will be surprised if attackers won't move in this direction as we spend more time chatting with friends on social networking sites.
This note is part of a 4-post series that reflects on malware-related activities on on-line social networks and considers their implications. Other posts are:
- When Malware Distributes Links Though Social Networks
- When Bots Control Content on Social Networking Sites
- When Bots Use Social Media for Command and Control