Researchers at the Technical University in Vienna have published details of an important evolution in Automated Social Engineering and proved the concept using IRC and Facebook chat.
Many of you will be familiar with the idea of Spam bots when it comes to real time chat, if not I detailed a Facebook related scam a while back that took advantage of this technique.
Classical chat spam bots operate in four distinct modes, the research paper describes them as “Periodic bots” – they simply post spam messages at regular intervals; “Random bots” – posting messages at random intervals; “Responder bots” – automating replies to other user’s messages and “Replay bots” which as the name implies simply replay previously recorded conversations.
The problem that scammers and criminals have to overcome with these technologies is the effectiveness of our natural suspicion and intuition. It turns out that, in the main, humans are particularly good at spotting when they are being spoken to by a computer. The researchers from Vienna have devised a way to overcome these natural defenses.
The paper details an application they call Honeybot which acts as a man-in-the-middle between two human correspondents, intercepting, diverting and, crucially, modifying messages sent between them in order to direct the conversation and engineer the victims into clicking links. Links which have been inserted by the attackers. According to the paper:
“The general attack principle works with any chat system that allows the exchange of private messages. It is based on the traditional man-in-the-middle concept. Every instance of the attack involves two human users and a bot in the middle. Both users believe that they are talking to the bot, but in reality, their messages are forwarded back and forth as shown in the following example:
- bot -> Alice: Hi!
- Alice -> bot: hello
- bot -> Carl: hello
- Carl -> bot: hi there, how are you?
- bot -> Alice: hi there, how are you?
- Alice -> bot: . . .
The bot looks perfectly human to both users because the entire conversation is reflected off the bot in the middle.“
Not only are all communications proxied but the bot has the intelligence to be able to guess at the respective genders of the victims, use questions to take control of the direction of the conversation (usually to engineer a scenario where a link would normally be posted) or to simply replace links posted by one victim with pre-configured malicious links.
In their testing, the researchers inserted three different kinds of link, a simple IP address, a TinyURL shortened link and a MySpace link into conversations on three different IRC channels and they recorded up to an impressive 76% click through. In a similar but more limited experiment using Facebook chat, the click through rate was still impressive at 40%.
With those kinds of results, surely we can expect to see this kind of technology incorporated into cybercriminal campaigns in the very near future. Just like your mother always told you, don’t talk to strangers! In those situations where you really have to, then this is just one more reason to ensure that your security solution of choice is scanning for malicious URLs in real-time…