Hitchbot - Delivering Malicious URLs via Social Hitch-Hiking

In order to spread malware more effectively, hackers have started to target popular social networking services (SNS) due to the inherent trust-relationship between the SNS users and the interactive nature of the services. A common attacking approach is for a malware to automatically login using stolen SNS user credentials and then deliver malicious weblinks (Uniform Resource Locators (URLs)) to the people on the contact/friend-list of the stolen user account by embedding them in some short messages. The victim then gets infected by clicking on the links thought to be delivered by their friends. However, for this approach to be effective, the malware has to mimic human-like behavior which can be quite challenging for anything beyond one or two-liner conversations. In this paper, we introduce Hitchbot, which uses a stealthier way to deliver malicious URLs by hitch-hiking on legitimate conversations among SNS users. In particular, when a SNS user sends a web-link/URL to his/her friends, Hitchbot will quietly replace it with a similar-looking, but malicious one by intercepting the link at one of the several possible points along the interactive input/output chain of the system. Since the malicious link is delivered within some proper conversation context between the legitimate users, this makes it much more difficult for the victim (as well as the innocent spreader) to realize the attack and thus can increase the conversion rate while reducing the rate of being detected substantially. The social hitch-hiking approach also enables Hitchbot to bypass most existing defense schemes which mainly rely on anomaly detection for user- behavior or application/network traffic pattern. As a proof of concept, we have implemented Hitchbot as a client-based module to hitch-hike on common social networking services including the Yahoo and Microsoft Messaging clients and other web-browser-based social networking services such as Facebook and Myspace. To quantify the effectiveness of Hi- chbot, we have conducted experiments to measure the behavior of users in exchanging, handling and operating on URLs. Possible defense schemes for detecting social hitch-hiking attacks are also discussed.