Waves of Twitter attacks erode trustworthiness of Tweets

September 26th, 2009

How much should you trust Tweets?

Much less so, after a swarm of tainted micro-postings inundated Twitter this past week.  Popular social networks have become a major focal point for cyber scammers.

“We’re definitely seeing old email scams migrating over to Twitter and generally being adapted to all of the popular social networks,” says Matt Marshall, VP of Security at Redspin, told LastWatchdog.

Facebook, MySpace, LinkedIn and other social nets have also been hit hard by corrupted messages and postings. But Twitter has increasingly bore the brunt – and is likely to remain a top target of hackers and cyber thieves, especially as the 2009 holiday shopping season rolls around.

“New media will likely continue to be used as a conduit to deliver misleading messages to unsuspecting users,” says Gerry Egan, Director, Symantec Security Response.

Tweets spread fake AV promos

It appears there were at least three Twitter attack waves launched  by two separate criminal groups since Wednesday, 23-Sept-2009 .

One wave keyed off of the top ten Twitter “trending topics” — subjects generating the most micro-posts globally.

This is the technique PandaLabs researcher Sean-Paul Correll first discovered in the wild last June, now much refined.  The attackers have gone through some lengths to make their Twitter accounts and tainted micro-posts more believable.

sean-paul-correll_crop50px“When I first discovered this in June, the malicious Twitter accounts used the stock background and avatars provided by Twitter,” says Correll.  “The latest attack harnessed the ability to upload custom backgrounds and avatars before spamming out the malicious links. I’m sure it was the same crew.”

Another wave made copies of Tweets sent by real people — and resent them with links triggering fake antivirus pitches. The attackers “mass-created new Twitter accounts, probably with the help of CAPTCHA farms,” says Mikko Hypponen, senior analyst at F-Secure. “These accounts then took real Tweets sent by real people, changed the link to a malicious one and Tweeted them again.”

These two waves carried links that, if clicked on, triggered promotions for worthless antivirus protection. You can read more about the teeming scareware industry in LastWatchdog’s 10-June-2009 USA TODAY investigative cover story.

These two waves of Tweets spreading links to fake AV, as of this writing, were still ongoing.

twitter_badlink2_090923_450pxSo Twitter users need to be alert for accounts with names like biedermann1963, leibold989, schwalbe556, reiner938, Ulrick Olschewski or Bannan Lohrmann, originating from a U.S. city — with no followers. “It’s a fake account,” says Hypponen. “All links tweeted by these redirect to rogue sites.”

The fake AV software being pitched: Windows PC Defender. “We believe the same people behind this attack are also behind the major Blackhat SEO campaigns and the Koobface worm,” says PandaLabs’ Correll.

‘rolf’ DM Tweets steal passwords

In a separate attack, private micro-posts, called Direct Messages, were blasted out to individual Twitter members. In a refined variation of spear phishing, these DMs used a familiar social engineering ruse and distributed links designed to phish the recipient’s Twitter account password. The dangerous DM micro-blog looked like this:

twitterdm_attack-_450pxClicking on the shortened link takes the victim to a faked Twitter login page that looks like this:

twitter-rolf_signin_450pxThe goal: to get the victim to type his or her account password. The account is then used to replicate the DM to all of the victim’s followers. This, of course, is the latest variant of the address replication technique pioneered by David Smith, author of the hallmark Melissa email worm, back in 1999.

beth-jones_crop50px1“I wouldn’t be surprised if we see an increase of these types of attacks, given the seeming success of this one,” says Sophos researcher Beth Jones. “On the surface, the DM attack seemed to be relatively successful, as I saw a lot of people tweeting that they fell for it.”

PandaLabs’ technical director Luis Corrons created a Twitter account to test the fake sign-in page. Corrons entered his login username and password.  Later, he account began sending money mule recruitment messages to others via DMs.

luis_corrons_crop59px“That does not mean this was the only use of those accounts, but that is what we saw,” says Corrons. ” Unfortunately, the page was closed before PandaLabs could take a screenshot of the Web site. The message read: ‘Would you like to work from home? Get $800 a week!’ plus the link.”

A money mule gets paid to set up online bank accounts into which crooks can extract funds wired from stolen hijacked financial accounts. (Two examples: a German gang working with the ZeuS banking trojan creator, known as A-Z, pulled off an Ocean’s 11-like heist of $11 million, which LastWatchdog chronicled here; and another gang has been deploying the Clampi banking trojan to wire funds out of small business accounts into multiple mule accounts.)

Enigma Software researcher Natalia Alcantara archived Tweets (clarification: mashable.com actually gathered the Tweet samples, not Enigma.  LW 30-Sept2009) referencing the DM attacks:

  • “I got this, but I just deleted it and unfollowed who sent it to me.”
  • “I just saw one of those in my message box.”
  • “Already hit the link. Now what to do?”
  • “I fell for this about an hour ago.”
  • “Ugh — anything you can do if you did, stupidly, click on said link?”
  • “I fell for it too about 90 minutes ago.”
  • “I think this worm made a mess on my # of followers, I noticed it declined dramatically over the past hours.”
  • “Did a quick who is lookup — it’s from China and was registered today.”
  • “I fell for it 3 times.”

Alcantara has compiled this list of best practices for Twittering safely. It’s well thought out. And, necessarily, extensive.

Twitter’s culpability

biz_stoneTwitter’s media contact, Jenna Sampson, and co-founder, Biz Stone,  declined to respond to requests to be interviewed by LastWatchdog. Perhaps Stone has decided that his 20-minute TV interview with PBS talk show host, Tavis Smiley, fulfills his duties for public disclosure about Twitter’s posture on security.

But we’ve arrived at a point where email spam filters, email black lists and general public wariness are generally keeping email scams in check. Meanwhile, Twitter could not have delivered a more tailor-made, fresh attack vector for cyber criminals.

Tweets slip across the Internet in real time with an intrinsic aura of trustworthiness. Web links are shortened so that the originating domain is obscured. And Twitter’s Application Programming Interfaces, or APIs, by design make it super easy for anyone to attach coding to its basic service.

Twitter declines to disclose how many active Twitter accounts exists. But it has become a media darling, and estimates of its user base range from 30 million to 45 million.

jamz-yaneza_crop1“Besides Facebook and its millions of members, you have Twitter with even more sparse requirements for a profile and easily incorporated APIs,” says Jamz Yaneza, Trend Micro researcher. “There are obvious good things that come out of ease of use, the bad guys however just as easily twist this for their own purposes.”

Forget about ‘warm and fluffy’

Sophos’ Jones says she has seen  social media sites described as a “warm fluffy places on the internet where nothing bad happens; It’d be wonderful if that were the reality. I’d want to go there!”

The reality: Twitter, Facebook, MySpace, YouTube, Bebo, Linked In and other popular social sites are “really kind of the new frontier for cybercriminals,” says Jones. “It’s like the old days of emai when you trusted your friends, your family, etc. You never dreamed anything malicious would come from them.  People simply are trusting everything they see on these sites right now.”

Symantec executive Egan opines that Twitter is not at fault. “Twitter hasn’t done anything wrong and I’m sure is taking active steps to research what more they can do to protect its users,” he says. “This is simply another case where malicious attackers are using a neutral technology as a means to their deceptive ends.”

What side of this debate do you fall on? Please comment below.

Twitter graphics by Landon Acohido

–Byron Acohido