When Malware Distributes Links Though Social Networks

On-line social networking sites are an attractive venue for spreading malicious links, because of the increasing amount of time people spend there. Moreover, these sites are becoming more effective for distributing links than email because of the relative sophistication of spam-fighting tools.

How will the attackers’ use of social networks for spreading links affect the way we conduct ourselves on line? What tools will we need to safeguard our activities?

Example: Koobface Propagates via Social Networks

Koobface is probably the best-known piece of malware that uses social networks, such as Facebook and Twitter, to propagate. When a person’s system is infected with Koobface, the worm accesses the user social networking account and send a message to the victim’s friends or followers with a link. When someone clicks the link, the person is directed to a website that attempts to infect the visitor with Koobface.

Koobface authors employ creative techniques to social-engineer people into clicking the link and to bypass security measures. For instance, Websense documented how Koobface might share a purposefully broken link to avoid Facebook’s URL filters. In this scenario the attacker expects that the victim’s desire to visit the destination will lead him to manually fix the link and paste the URL directly in the browser.

People Won’t Stop Clicking on Links

Malware spreads with ease on social networks, because people frequently use them for sharing links to websites, articles, videos and stories that they like. Since the links are seen as being distributed by a friend, many people click on them.

We used to advise caution when opening email attachments. That wasn’t very helpful advice, because people exchange email with strangers quite often. Moreover, attackers began sending malicious attachments from email accounts familiar to the recipient.

Similarly, people will continue clicking on links shared on social networking sites, even as people become increasingly aware of the risks. It’s in our nature to be curious. Perhaps if Descartes were alive today, he might proclaim: Clicco ergo sum!

Securing Clicks on Social Networking Sites

Much like we’ve developed sophisticated tools for dealing with unwanted email messages, we will need better tools for sifting through links exchanged on social networks. These tools might:

  • Flag anomalies in the frequency, time and characteristics of the links shared by our friends.
  • Assess the social network reputation of the person sharing the link.
  • Examine the destination of the link for malicious code.
  • Look up the link in the list of known good or bad links.
  • Identify web pages that attempt to mimic the look of a legitimate social networking site

Social networking sites are performing a level review of the links shared by the users, and probably incorporate some of these elements. In addition, users can install local link-validation tools, such as SiteAdvisor. Anti-virus companies are also starting to experiment with social networking apps for safeguarding their users activities, such as BitDefender safego.

However, these security efforts are still relatively early in their development cycles. The issues associated with links distributed through social networks will probably get worse before getting better. Those looking for an idea for a security start-up might find an opportunity in this space.

This note is part of a 3-post series that reflects upon malware-related activities on on-line social networks and considers their implications. 2 other posts are:

  • When Bots Control Content on Social Networking Sites (to be published on January 18)
  • When Bots Chat With Social Network Participants (to be published on January 19)

Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more