Investigating Twitter Abuse, Part 2

In the previous blog post of this series, I introduced our paper that looked at the threats in the Twitter landscape, and explained the various kinds of malicious tweets we’ve seen. In this post, we look at the scope and scale of these threats.

Malware Tweets

Users in the United States generally click the most links that go to malicious URLs from Twitter, whether it be phishing Tweets, Tweets with shortened URLs, or traditional spam. In one category, however, this was not the case. We identified a malware outbreak which was targeting users in Middle Eastern countries. Users in Saudi Arabia, Egypt, and Sudan clicked the most links from tweets that led to malware. The United States was only fourth in this tally:

Figure 1. Countries clicking on Tweets leading to malware

Twitter Phishing

Twitter phishing is a threat that is well-known to many users. After all, many users frequently complain that their accounts have been “hacked”; in many cases these could be the result of phishing attacks.

Twitter phishing uses features of Twitter to make the scheme more effective. Imagine that Alice was phished on day one. The next day, Alice may send a phishing message to her friend Bob, that would look like:

@Bob lol this entry by you is cool short_{malicious domain}/123465

If Bob clicks on this message, it will say his Twitter session has logged out – and that he needs to log in again. If he enters his username and password, then he has been phished. His account will then send messages to his friends, and so on.

This phishing scheme was particularly effective at avoiding detection by the security researchers. Some characteristics which are used by this scheme include:

  • Use of URL shorteners
  • Use of complex infection chains, similar to those used by exploit kits
  • Links sent to users via Tweets from compromised accounts

Some of the primary tools used by security researchers include honeypots, sandboxes and web reputation. These techniques are ineffective for several reasons, including:

  • the messages are unlikely to arrive in honeypots since the phish messages are sent from one legitimate user to another legitimate user;
  • this method tricks users into giving up their credentials so sandboxes are ineffective, and;
  • the use of shortened URLs and complex infection chains makes the use of web reputation technologies less effective.

Figure 2. Sample infection chain

We looked into the main phishing scheme attacking Twitter for a three-month period in 2014 from the March 1 to June 1. On peak days, more than 20,000 accounts would be used to send tweets with links to more than 13,000 distinct URLs.

Since June, however, Twitter has largely got on top of this and the volume of Twitter specific phishing has been significantly reduced. Almost half of the victims of this scheme were located in the United States:

Figure 3. Phishing victims

Searchable Spam

On Twitter, there is a large number of tweets offering services of a dubious nature, many of which infringe copyright. We have termed these tweets as “searchable spam’. Typically, these tweets are in Russian and advertise free movies, hacked games and software, etcetera. Social media attacks are frequently tailored towards specific target audiences. It’s something oaf a surprise, then, how much searchable Russian spam is accessed from outside Russia.

Since these spam Tweets are thought to advertise illegal goods, it may well be that the reputation of the Russian underground may actually give these ads some credibility in the eyes of readers from outside Russia.

Figure 4. Traffic to Russian-language Tweets

Some of these attacks are more easily detected by Twitter and more likely to result in suspended accounts. We identified 17 distinct groups that took part in spam campaigns during the study period. Twitter was able to suspend almost 34,000 accounts from these groups, with some of them losing more than 90% of the accounts under their control.

We have other findings listed in the paper, but these alone should be sufficient to show that malicious Tweets do exist on Twitter. However, any social network can be abused by cybercriminals and have to deal with malicious content on their site. In the third part of this blog series, we will look at what can be done to reduce these threats.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Investigating Twitter Abuse, Part 2

Read more: Investigating Twitter Abuse, Part 2

Story added 1. October 2014, content source with full text you can find at link above.