The hijacking of high-profile Twitter accounts belonging to the Associated Press and Guardian UK newspaper brings to light numerous security shortcomings, namely the susceptibility users still have when it comes to phishing attacks, their propensity to use weak passwords, and the inability to detect anomalous behavior on social networks until it’s too late.
Cracking a big-name Twitter account, as it turns out, isn’t just a cute stunt anymore; last week’s hoax tweet declaring President Obama had been injured in an explosion near the White House triggered a temporary plunge on the American stock markets. While the markets recovered almost as quickly once the hoax was revealed, the attack and a similar one this week against the Guardian, allegedly by pro-Syrian hacktivists, exposed how a number of glaring weaknesses can lead to unexpected consequences.
The knee-jerk reaction, in the meantime, has been to ask why Twitter hasn’t implemented two-factor authentication—something they’re reportedly working on—if for no other reason than to put up another roadblock in front of hackers. Yet while some experts back this notion, many believe it won’t work because the number and scale of Twitter users prohibits rolling out tokens or smart card readers, for example, and SMS-based one-time passwords would be cumbersome inside large and small corporations that share accounts for marketing or customer service purposes.
In the case of the attack on the Associated Press, like many targeted attacks, a phishing email was the root cause. PhishMe CTO and cofounder Aaron Higbee said his company has seen the email which he said was fashioned to look like it came from someone internally at the AP. The message contained a link purporting to be to a Washington Post article. Instead, the victim was taken to a phishing site and asked to authenticate with a Twitter handle to proceed.
Higbee said that two-factor authentication could become unwieldy for users, and in the case of the AP attack, likely wouldn’t have helped matters. For example if an authentication token is sent to the victim via SMS, they’re likely going to use it on the phishing site. The attacker, then having access to it, could automate and replicate its use while the token is valid, likely for 24 hours.
“Twitter was not meant for group use,” said Higbee, pointing out that many other online services allow users to authenticate to them via social network passwords. “A lot of companies that need to interact with Twitter share passwords. That’s what most SMBs are doing, or are paying for a management suite, and a lot of companies don’t need those features so they fall back to sharing.”
The Syrian Electronic Army has claimed responsibility for the latest spate of attacks, primarily on media companies such as the AP, Guardian, National Public Radio, the BBC and al-Jazeera among others. The pro-Syrian group isn’t the first hacktivist organization to take aim at high-profile entities. Since last fall, a group calling itself al-Qassam Cyber Fighters, has been running denial of service attacks against major U.S. banks in protest of the movie “Innocence of Muslims,” though some analysts believe the group is too well funded to be socially motivated and is just a cover for Iranian state-sponsored hackers. Meanwhile, the Chinese have also targeted media, namely the New York Times and Washington Post, with espionage malware allegedly in an effort to learn more about sources the newspapers used in exposes of high-ranking Chinese government officials.
Researchers Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna of the University of California-Santa Barbara and Manuel Egele of Carnegie Mellon University may have an answer. The team presented a paper at a conference in February explaining a tool called COMPA that they developed which detects compromised social network accounts.
Stringhini told Threatpost that he ran COMPA against the tweet sent out by the hacked AP account.
“The tweet was considered as very anomalous by our system,” he said. “First of all, the message was written using the Twitter website, while the AP operators usually use SocialFlow, which is a commercial social network client. Second, the tweet did not include a URL, which is very anomalous for news-related Twitter accounts: typically, the tweets posted by such accounts include the title of a news article, and a URL to the full article.”
COMPA models messages against a number of features to build a baseline profile, including the time of day tweets are normally sent; the source of the message (whether it’s sent from an app or the Web); language; topic, whether there are links in the tweet; whether direct messages are sent; and proximity. The model scores messages sent over social networks and after building a consistent behavioral profile, can flag any anomalies.
“The application that the messages are sent from is a very strong indicator. If a user always posts from Twitter for iPhone, it is very anomalous if suddenly a message comes from a different client,” Stringhini said. “The people that a user mentions in her tweets are also very important, as well as the domain of the URLs that are included in the messages; a link pointing to an obscure domain is very anomalous, and might be a sign of an attempted attack.”
Perhaps the biggest challenge with COMPA, as with any anomaly detection tool, is to account for temporary changes in behavior.
“We found out that many users show an anomalous behavior all the time, but for legitimate reasons. For example, a user subscribing to a third-party application, such as Foursquare, might raise an anomaly, because the application would start sending tweets on behalf of the user,” Stringhini said. “For these reasons, COMPA works well in detecting anomalies for high-profile accounts (such the AP one), because they have a consistent behavior, but generates many false alarms if ran on regular users. To mitigate this problem, we aggregate similar messages sent by Twitter users, and we flag the accounts as compromised only if a large fraction of the tweets in the group are anomalous, given the behavioral profile of the users that generated them.”
