Hackers Using Automation, Geolocation in Social Networking Attacks

MOSCOW — Attackers have been focusing a lot of attention on social networking destinations such as Facebook, Twitter and even LinkedIn for some time now, but they recently have begun shifting their tactics to make their attacks much more effective and precise through the use of geolocation and profiling.

MOSCOW — Attackers have been focusing a lot of attention on social networking destinations such as Facebook, Twitter and even LinkedIn for some time now, but they recently have begun shifting their tactics to make their attacks much more effective and precise through the use of geolocation and profiling.

Like attacks on other platforms such as email and IM, the first couple generations of attacks on social networking sites used a shotgun approach that relied on targeting a huge number of users and hoping that a small percentage of them would fall for the attack. The Koobface worm, Twitter spam and porn bots all relied on this tactic, and with pretty good results. Koobface’s various iterations have infected millions of Facebook users, and there have been a couple of fairly effective phishing campaigns on Twitter.

But users have been quick to catch on to those techniques, and attackers have begun to fine tune their tactics to make their attacks much more focused and effective, experts say. The most effective of these right now is the use of geolocation and profiling of users.

“We have really started to see a lot of attackers using geolocation for targeted attacks on social networking sites to better craft the social engineering story,” Stefan Tanase, senior regional researcher on Kasperky Lab’s Global Research & Analysis Team, said in a talk at the company’s international press briefings here. “They’re using language targeting and looking at profiles and interests to make it work.”

There has been a major increase in the volume of malware targeting social networking sites in the last year. As more and more users have flocked to Twitter and other such sites, the number of pieces of malware targeting these users has grown from fewer than 30,000 in 2008 to more than 60,000 in 2009, Tanase said.

The nature of sites such as Twitter and Facebook, where users post intimate details of their lives, including hobbies, job information, birthdays, etc., makes these attacks easy to implement. Attackers can sift through users’ profiles, looking for specific interests, information on where they live and what they do in their spare time. They can then use that data to target tailored phishing and drive-by attacks to a small group of users in a specific city.

Tanase showed an example of a phishing campaign that used a fake Reuters site that had a news article purporting to be about a bomb blast in Bangalore. However, as users hit the site, if they came from other locations, the headline of the story could be changed to Moscow, Berlin, Chicago or whatever location matched the user’s IP address.

Advertisers have been using similar techniques to target their messages to local users on news sites, Facebook and elsewhere, and it’s turned out to be a very effective tactic. And if it works for legitimate advertisers, there’s no reason to think the attackers won’t see the same results, Tanase said.

“If the advertisers are doing it, and it’s working, there’s no reason the bad guys won’t,” he said. “They’re now automating the targeted attacks. That’s a dangerous thing. The complexity of these attacks will get bigger and bigger and the social engineering attacks are getting more complicated.”

Suggested articles


  • Anonymous on

    i use Kaspersky Internet Security with very good results for over 3 years.  I have been told that it is a Russian developed software.  I just started to receive your Threatpost and here is a item detailing Russian threats.   YIPE  !!  am i paying to have the fox watch my henhouse????

  • Anonymous on

    I used to wonder about using an antivirus program that is foreign. 

    I think that we are not giving the AV company enough credit when we wonder about their safety.  Any AV company that has been around more than a couple of years is a serious business.  A serious business wants to do as good a job for its customers as possible.  Some AVs have even said that if the authorities ask them to put in a back door, they willl refuse and furthermore, they will get signatures for any such backdoors they find out there--even if it is from the authorities. 

    On the other hand, If a real war breaks out, I suppose it could be different.  In that case, you would probably want an AV program that is local for you, or one of the free, world-wide antivirus programs (ClamWin with the Clam Sentinel front end comes to mind).


  • Anonymous on

    long story about the hackings.   i been targeted since aug of 2008.  i have storys to tell.  i am the command and control center for the botnet i learned.  every flaw i found, they fixed automaticially.  all the exploits you are figuring out i experienced over a year ago.  there is more to it.  example.  the worm hacked my phone service even shut down airtel in montana 2 months after i joined.  my phone was sending dual band packets hacking anyone i talk to.    the actual hackings you are experiencing are the secondary exploits.  the main worm is  still undetectable and uses hardware on the motherboard to get it.  they get in by sending radio frequency packets into hardware that been ignored.  every antivirus or firewall i use doesnt detect anything.  when kasperty 2010 came out, it detected over 60 generic keyloggers resulting in drivers being able to be udpated.  shorty after, the hacker fixed it where even kasperty didnt work.   the worm and exploits keep coming back cause the global worm hasnt even been addressed. 


    facebook and twitter and a lot of others has been hacked freely way before april first.  i know this due to hashcodes left from the hacker.     the worm is a backdoor that was injected into all machines april first using the conficters as decoys which were made detectable on purpose. 

    im still fighting it today and just now getting help.   i was being intercepted and when i do get through, the hacker goes into any server and changes any info and wiping my attempts.

    when i got a hold of fbi, they got hacked.  i had 6 sites that followed me.  i been reciving over 2000 incoming IPs 24/7 that started in febuary of 2009.     i talked to microsoft;s chief enegineer and told me to get a hold of ed gibson who can help, but i cant find his info. 


  • Ed Gibson on

    Hi - please feel free to contact me at EdGibson0105@hotmail.com - I have now returned to the United States (Washington DC metro area).  Happy to help if I can.

    Edward P Gibson  www.linkedin.com/in/edthefed 

  • antihacker101 on

    thanks for the info on ed,  he may be the only one that can help me in my situation.  i believe i been targeted due to fighting hackers over 10 years ago on aol in a programming room.   the info of my dns matched whois info i viewed by a hacker that made a similar worm that stole money and send to an overseas account.   the ips were validated by both sides (isp and company of hacker) to be wrong. 


    again, thanks

  • Emily Sandstrom on

    'Takes one to know one.'  Kaspersky has NO customer service for retail:  They cater only to commercial account.  I bougt a 5-year multi-computer version and ditched it in two months!  3 thumbs down!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.