Topic: Social Bookmarking and Malicious Websites

[Amker]

On Friday the top story on the social bookmarking site reddit.com linked to a website that downloaded malware onto visitors’ computers. Social bookmarking sites like Reddit and Digg link to stories ranked by the popularity of these stories with their users. The malware on the site appeared to be a variant of Trojan.ByteVerify that downloaded more malicious programs onto the users’ machines.

It is interesting to consider how effective in spreading malware a link on a social bookmarking site is. How many infections can be achieved by a story linked to a popular social bookmarking site that installs malware on the viewer’s computer? The number of infections a malicious website can cause is the number of people who view the website multiplied by the fraction of these viewers who are susceptible to this malware.

E-Consultancy claims that if a page gets to the popular listing on Digg, over twelve thousand users can be expected to view the page. In a way similar to how spam is used to socially engineer people into running malware, it would be naïve to think that malware authors will not attempt to socially engineer these websites in an attempt to drive users to malicious websites.

How could a malware author attempt to make their page popular? The first strategy is to create many accounts and to use each to upvote the story to make it popular. This problem of cliques upvoting stories has been seen on social bookmarking sites in the past, and can be at least partly remedied.

The second strategy is to create an attention-grabbing story and headline. The users of each site have characteristics that could be exploited in order to increase the popularity of a story. For example, the headline “Hey, cool, someone wrote an article about Digg!” was suggested as a prototypically-popular Digg story. If malware authors start using social engineering principles to deliberately drive users to malicious website pages, they could increase infection rates.

The second question is how likely each view is to lead to infection. The users of social bookmarking sites tend to be technologically aware. This means they are likely to have up-to-date patches and antivirus definitions on their systems, and also likely to use different operating systems and browsers. The heterogeneous nature of the computing platforms used by the readers of social bookmarking sites means that any threat that solely targets one browser and one operating system will not infect the majority of the site’s users.

How can those who run social bookmarking sites reduce the risk that they will be used to lead visitors to malicious websites? One possible answer is to use an automated system to check if any site links are used to download software onto a user’s machine. A number of operating systems and browsers would need to be used to test that a site is not downloading malware. This makes such automation difficult.

Any of the many technically-aware users that use these sites could quickly discover that a website is malicious. This crowd wisdom could result in malicious web pages being buried or reported before they become popular. In the recent Reddit case this crowd wisdom did not discover the malicious website until it had become the most popular on the site. Once the users of Reddit recognised the malicious site it was rapidly removed from the Reddit listings.