Investigating Twitter Abuse, Part 1

Twitter is an important means of communication for many people, so it shouldn’t be a surprise that it has become a medium that is exploited by cybercriminals as well. Together with researchers from Deakin University, we have released an in-depth paper titled An In-Depth Analysis of Abuse on Twitter that looks at the scale of this threat.

To gather this information, we analyzed publicly accessible Tweets from a two-week period in 2013. Many of these we discarded, as they did not have any links. The majority of malicious Tweets contain some kind of malicious links, so we opted to focus on these alone.

We ended up gathering more than 570 million Tweets in total. Of these, we identified that more than 33 million – 5.8% of the total – had links to malicious content of some kind of another. Malicious content does not necessarily mean only malware: it can also mean links to spammed advertisements and phishing pages, among other threats. The data collection period was during a period when there was significant spam outbreak.

In practice, we identified several types of abuse on twitter, including:

Spam
Phishing
Links to malware
Accounts being stolen and suspended.

There are two distinct flavors of spam – traditional spam that uses hash tags, is very obvious, repetitive, and quickly gets shut down.

The second type is what we call “searchable spam”. Searchable spammed tweets are completely different. This is what they look like:

Figure 1. Searchable tweets

‘
These tweets are, in some ways, more akin to classified ads. They are typically used to promote pirated or fake copies of various items like:

cracked software
free movies
gadget knockoffs
homework solutions

Unlike the more “traditional” tweets, they did not make heavy use of hashtags. There is a strong Eastern European connection with these tweets as well: many are written in Russian, or hosted on servers in Russia or Ukraine.

This threat is much more low-profile than other attacks, and it shows: the probability of Twitter suspending accounts involved in this activity is lower than accounts involved in other malicious activities. All this is designed to avoid users reporting these tweets (and accounts).

In addition, half of the traffic to the sites advertised in these tweets don’t actually come from Russia. The users finding these tweets really are interested in what they “need”, even if they need automated translation tools to understand them.

Twitter accounts themselves are valuable targets for cybercriminals. As a result, various scams that try to get the user credentials of users are common as well. For example, compromised accounts will mention their friends in tweets (or send direct messages), that ask the user to click on a (shortened) URL. This link will eventually lead users to phishing pages that ask for the user’s Twitter account credentials.

Another way to gain access to Twitter accounts is the well-known follower scam. These scams lure users under the promise of more followers. Instead, they give attackers access to the user’s Twitter account.

In future posts, we will look at the regional differences in Twitter abuse, as well as possible solutions to the threat.

This research was supported by ARC Linkage Project LP120200266.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Investigating Twitter Abuse, Part 1