Social Media Brings a New Wave of Threats, Part 2

May 9, 2011 - 1 Comment

The next wave of spam is now making its way into social networks. One example of this type of threat is the Koobface malware, distributed through social networks such as Facebook. Koobface tricked users into downloading the malware, which then spread via the network of trusted friends. (For more details please read Unsociable: Social Media Brings a New Wave of Threats)

Facebook recognized this malware was a major problem. The trick to solving it, though, was determining how to distinguish the behavior of a bot acting like a human from the behavior of a real human. The initial answer seemed clear: selectively use a “captcha.” A captcha is the squiggly letters or numbers with interspersed lines that websites use to verify the user is a real person, not a bot. It’s very difficult for a machine to read the captcha and enter the right characters. (IMHO it is difficult for a person to enter the right characters, too—so no wonder a bot can’t do it.)

The captcha was a very effective defense and stopped the spread of Koobface in its tracks. For about 48 hours. The attackers on the other end of the wire are very clever and massively motivated by money. So the bad guys found a way around the captchas. If a machine can’t break a captcha, they would use people. They set up a system where the malware would grab the captcha from the social site and send it out to a vast network of “captcha crackers.” This term refers to a group of people who read captchas and type in the numbers/letters in exchange for “compensation,” such as money, points on online games, or access to adult websites. What a world.

With an army of captcha crackers, the Koobface attacks began to spread again. As the social malware picked up steam, the captcha crackers were wildly busy earning their points. Ultimately, cracking captchas represented a cost to the attackers. So they came up with an even better idea. Instead of farming the captchas out to people who cracked them for money, they would trick the owner of the machine into helping. When Koobface was running a background session on Facebook and encountered a captcha, it would pop up a window with the Microsoft logo that said, “Your machine will shut down in 30 seconds. Enter this code to continue working.” It was brilliant social engineering; the ruse didn’t give users time to think—they had to enter that dang captcha, or else the machine would reboot.

The good news is that these types of attacks always have a weakness. In the case of Koobface, the command and control servers that orchestrated these attacks ultimately gave them away. Once security companies were able to identify the control servers for the attack, they could identify and block the attack, and the zombies went quiet.

But Koobface illustrates several key points. First, social media is a rich feeding ground for malware attacks. Second, attackers are finding ways to personalize and target attacks. And third and perhaps most important, the people launching these attacks play by a different set of rules that ignores patents, copyrights, and ethics, but they are business minded themselves. They know what we know: when large sums of money are involved, people have a strong motivation to innovate.

This blog was originally published on:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. I was wondering about a point that you bring up in this very interesting and a little disturbing article is that these hackers or whatever they are called get paid big money to spread these worms, etc. Why would people want to pay another person to create hideous malware, worms. Who is motivated to pay money to do this for example. I am quite naive so please enlighten me.