Waves of Twitter attacks erode trustworthiness of Tweets

September 26th, 2009

How much should you trust Tweets?

Much less so, after a swarm of tainted micro-postings inundated Twitter this past week.  Popular social networks have become a major focal point for cyber scammers.

“We’re definitely seeing old email scams migrating over to Twitter and generally being adapted to all of the popular social networks,” says Matt Marshall, VP of Security at Redspin, told LastWatchdog.

Facebook, MySpace, LinkedIn and other social nets have also been hit hard by corrupted messages and postings. But Twitter has increasingly bore the brunt — and is likely to remain a top target of hackers and cyber thieves, especially as the 2009 holiday shopping season rolls around.

“New media will likely continue to be used as a conduit to deliver misleading messages to unsuspecting users,” says Gerry Egan, Director, Symantec Security Response.

Tweets spread fake AV promos

It appears there were at least three Twitter attack waves launched  by two separate criminal groups since Wednesday, 23-Sept-2009 .

One wave keyed off of the top ten Twitter “trending topics” — subjects generating the most micro-posts globally.

This is the technique PandaLabs researcher Sean-Paul Correll first discovered in the wild last June, now much refined.  The attackers have gone through some lengths to make their Twitter accounts and tainted micro-posts more believable.

sean-paul-correll_crop50px“When I first discovered this in June, the malicious Twitter accounts used the stock background and avatars provided by Twitter,” says Correll.  “The latest attack harnessed the ability to upload custom backgrounds and avatars before spamming out the malicious links. I’m sure it was the same crew.”

Another wave made copies of Tweets sent by real people — and resent them with links triggering fake antivirus pitches. The attackers “mass-created new Twitter accounts, probably with the help of CAPTCHA farms,” says Mikko Hypponen, senior analyst at F-Secure. “These accounts then took real Tweets sent by real people, changed the link to a malicious one and Tweeted them again.”

These two waves carried links that, if clicked on, triggered promotions for worthless antivirus protection. You can read more about the teeming scareware industry in LastWatchdog’s 10-June-2009 USA TODAY investigative cover story.

These two waves of Tweets spreading links to fake AV, as of this writing, were still ongoing.

twitter_badlink2_090923_450pxSo Twitter users need to be alert for accounts with names like biedermann1963, leibold989, schwalbe556, reiner938, Ulrick Olschewski or Bannan Lohrmann, originating from a U.S. city — with no followers. “It’s a fake account,” says Hypponen. “All links tweeted by these redirect to rogue sites.”

The fake AV software being pitched: Windows PC Defender. “We believe the same people behind this attack are also behind the major Blackhat SEO campaigns and the Koobface worm,” says PandaLabs’ Correll.

‘rolf’ DM Tweets steal passwords

In a separate attack, private micro-posts, called Direct Messages, were blasted out to individual Twitter members. In a refined variation of spear phishing, these DMs used a familiar social engineering ruse and distributed links designed to phish the recipient’s Twitter account password. The dangerous DM micro-blog looked like this:

twitterdm_attack-_450pxClicking on the shortened link takes the victim to a faked Twitter login page that looks like this:

twitter-rolf_signin_450pxThe goal: to get the victim to type his or her account password. The account is then used to replicate the DM to all of the victim’s followers. This, of course, is the latest variant of the address replication technique pioneered by David Smith, author of the hallmark Melissa email worm, back in 1999.

beth-jones_crop50px1“I wouldn’t be surprised if we see an increase of these types of attacks, given the seeming success of this one,” says Sophos researcher Beth Jones. “On the surface, the DM attack seemed to be relatively successful, as I saw a lot of people tweeting that they fell for it.”

PandaLabs’ technical director Luis Corrons created a Twitter account to test the fake sign-in page. Corrons entered his login username and password.  Later, he account began sending money mule recruitment messages to others via DMs.

luis_corrons_crop59px“That does not mean this was the only use of those accounts, but that is what we saw,” says Corrons. ” Unfortunately, the page was closed before PandaLabs could take a screenshot of the Web site. The message read: ‘Would you like to work from home? Get $800 a week!’ plus the link.”

A money mule gets paid to set up online bank accounts into which crooks can extract funds wired from stolen hijacked financial accounts. (Two examples: a German gang working with the ZeuS banking trojan creator, known as A-Z, pulled off an Ocean’s 11-like heist of $11 million, which LastWatchdog chronicled here; and another gang has been deploying the Clampi banking trojan to wire funds out of small business accounts into multiple mule accounts.)

Enigma Software researcher Natalia Alcantara archived Tweets (clarification: mashable.com actually gathered the Tweet samples, not Enigma.  LW 30-Sept2009) referencing the DM attacks:

  • “I got this, but I just deleted it and unfollowed who sent it to me.”
  • “I just saw one of those in my message box.”
  • “Already hit the link. Now what to do?”
  • “I fell for this about an hour ago.”
  • “Ugh — anything you can do if you did, stupidly, click on said link?”
  • “I fell for it too about 90 minutes ago.”
  • “I think this worm made a mess on my # of followers, I noticed it declined dramatically over the past hours.”
  • “Did a quick who is lookup — it’s from China and was registered today.”
  • “I fell for it 3 times.”

Alcantara has compiled this list of best practices for Twittering safely. It’s well thought out. And, necessarily, extensive.

Twitter’s culpability

biz_stoneTwitter’s media contact, Jenna Sampson, and co-founder, Biz Stone,  declined to respond to requests to be interviewed by LastWatchdog. Perhaps Stone has decided that his 20-minute TV interview with PBS talk show host, Tavis Smiley, fulfills his duties for public disclosure about Twitter’s posture on security.

But we’ve arrived at a point where email spam filters, email black lists and general public wariness are generally keeping email scams in check. Meanwhile, Twitter could not have delivered a more tailor-made, fresh attack vector for cyber criminals.

Tweets slip across the Internet in real time with an intrinsic aura of trustworthiness. Web links are shortened so that the originating domain is obscured. And Twitter’s Application Programming Interfaces, or APIs, by design make it super easy for anyone to attach coding to its basic service.

Twitter declines to disclose how many active Twitter accounts exists. But it has become a media darling, and estimates of its user base range from 30 million to 45 million.

jamz-yaneza_crop1“Besides Facebook and its millions of members, you have Twitter with even more sparse requirements for a profile and easily incorporated APIs,” says Jamz Yaneza, Trend Micro researcher. “There are obvious good things that come out of ease of use, the bad guys however just as easily twist this for their own purposes.”

Forget about ‘warm and fluffy’

Sophos’ Jones says she has seen  social media sites described as a “warm fluffy places on the internet where nothing bad happens; It’d be wonderful if that were the reality. I’d want to go there!”

The reality: Twitter, Facebook, MySpace, YouTube, Bebo, Linked In and other popular social sites are “really kind of the new frontier for cybercriminals,” says Jones. “It’s like the old days of emai when you trusted your friends, your family, etc. You never dreamed anything malicious would come from them.  People simply are trusting everything they see on these sites right now.”

Symantec executive Egan opines that Twitter is not at fault. “Twitter hasn’t done anything wrong and I’m sure is taking active steps to research what more they can do to protect its users,” he says. “This is simply another case where malicious attackers are using a neutral technology as a means to their deceptive ends.”

What side of this debate do you fall on? Please comment below.

Twitter graphics by Landon Acohido

–Byron Acohido

 
Sort by:   newest | oldest | most voted
Chester Wisniewski - Sophos
Guest
Great Article Byron, Thought I would add some practical advice for users to help avoid being gamed by these social media hucksters: 1. Only provide your Twitter credentials to services using OAuth to obtain your ID. OAuth ensures your password is only sent to Twitter and still allows the service to perform the duties you assign it. 2. Don’t blindly click shortened URLs. 2a. Tinyurl.com offers the ability to get a preview using only Cookies in your browser at http://tinyurl.com/preview.php. 2b. Bit.ly offers a Firefox plugin to preview URLS as well at http://bit.ly/bitlyFirefox 2c. Clicking http://ow.ly links can be dangerous… Read more »
Dirk Knop
Guest
As Twitter and Facebook now seem to complement the well-known email attack vector to convince users to install malware or to phish for login data, some safety measures should be taken by the user. For example, usually the URL shortcut services used by twitter allow for configuring a preview before sending the browser to the actual site that is linked. With that real link it might be possible to detect a fraudulent URL. Also, never type in your password into alien sites – when you come from Twitter, why should you need to login again? Such behaviour should raise suspicion.… Read more »
Lyle
Guest

Thanks for the article Byron. Always good to be aware of the latest tactics being used. The more people that use some caution the better it is for all of us. I run into people all the time who feel they are safe because they use this or that AV program.

Andrew Storms
Guest
The reality is that people are putting way too much trust in companies like Twitter because the service is new and fun and seemingly harmless. Twitter really has become the perfect Petri dish for all trust-based attacks. Every type of attack based on social relationships has immigrated to Twitter. For example, most people have at least heard about phishing and email attacks. Now these kinds of attacks also come in as Tweets, nothing else has changed. There’s nothing fancy here, just basic attacks that rely on exploitation of trusted relationships and they will keep coming in more sophisticated forms as… Read more »
Alexandru Catalin COSOI
Guest
Great article Byron! Even though the most evident emerging threat right now in social networks is the increasing number of URL shortening services, this appears to be a problem mostly on Twitter due to the 140 character limit on posts. Ths use of shortened URLs on other social networking sites such as Facebook or MySpace hasn’t been adopted by the masses yet. The most important aspect of social networks is trust. Even though email spam is annoying and can take up a lot of time, people usually have some idea if the email is spam or legitimate. In most spam… Read more »
Caroll Passmore
Guest

Have been looking at doing site optimization and bettering the design on my website for a long time, so this website has been very useful. Clear read also, so thank you!

wpDiscuz