The Tainting of Twitter

By Byron Acohido, The Last Watchdog
No one in the tech security world is surprised that criminal exploitation of Twitter has commenced in earnest, as I’ve written in this story on page 1B of Monday’s edition of USA TODAY. Coding and social engineering techniques that spammers and malware purveyors have been refining and perfecting in the email realm over the past several years couldn’t mesh more smoothly into the world of social network messaging. And Twitter — the über popular Web 2.0 service that media companies can’t seem to hype enough — has presented cyber fraudsters with the attack vector of their dreams.

No one in the tech security world is surprised that criminal exploitation of Twitter has commenced in earnest, as I’ve written in this story on page 1B of Monday’s edition of USA TODAY. Coding and social engineering techniques that spammers and malware purveyors have been refining and perfecting in the email realm over the past several years couldn’t mesh more smoothly into the world of social network messaging. And Twitter — the über popular Web 2.0 service that media companies can’t seem to hype enough — has presented cyber fraudsters with the attack vector of their dreams.

Anyone can sign up anonymously for a Twitter account and begin pushing unfiltered messages carrying tainted Web links — bad URLs — across the Internet. What’s more, Twitter has popularized the use of shortened URLs to enable users to point to Web pages in messages limited to 144 characters. It did not take cyber crooks long to discover that shortened URLs are most effective for disguising bad URLs.

And then there’s the sheen of trust social networks proactively engender. When it comes to repulsing  email spam and email viruses, we have robust filters and we have learned to mistrust unsolicited email that slips through the filters. But social networks are build around the notion that messages arrive mostly from your circle of close friends or from people you admire.

Message filtering in the social network realm has been limited essentially to requiring users to solve CAPTCHA puzzles to open a new account or to send messages with links. But the thriving cottage industry of CAPTCHA resolvers for hire, which I wrote about in this page 1A story, makes CAPTCHA solving a low hurdle for the bad guys.

There’s more. Twitter, in particular, has extended this veil of assumed trustworthiness to third party software developers, encouraging them to create cool add-on applications. Twitter makes it simple for any programmer to tie creative new widgets, plug-ins, or Google mashups into your Twitter user logons. Attackers love this because third-party developers tend to pay little attention to security.

Case in point: hacks of third-party Twitter apps were central to recent attacks of the Twitter accounts of pop-diva Britney Spears and tech guru Guy Kawasaki. Using Spears’ stolen Twitter logon, an attacker Tweeted Spears’ 2.2 million followers that she had died; it was a hoax. Another attacker used Kawasaki’s stolen logon to Tweet links to a porn site to the tech guru’s 144,000 followers; this one was for profit.

Security experts expect a repeat of the pattern we’ve seen with corrupted email spam and tainted websites: Twitter attacks will increasingly spin off hacks of vulnerable third-party Twitter apps. And cyber criminals inevitably will begin to spread much more malicious software, including programs that turn your PC into a bot, embeds a keystroke logger to steal your data, triggers endless scareware promotions or executes a banking Trojan to steal from your online accounts.

Corporate awareness, inaction

And yet, as this recent Websense survey shows, corporations worldwide are racing to fold Twitter and popular social networking services into their business models. Of the 1,300 IT managers surveyed by Websense, some 86 percent said they were being pressured to allow access to Web 2.0 sites from senior execs in marketing, sales, finance, HR and even their own colleagues in IT departments. They are either naïve — or big gamblers.

Results of a Sophos survey of 710 IT pros indicates awareness of the threat among IT staff is high: 62.8 percent of firms surveyed said they were worried that their users are sharing too much info on social networks; while 66 percent believe that workers are putting their companies at risk by using social networks.

Twitter has taken the circle-the-wagons approach to public statements about what it is doing. It took several emails and phone calls to get co-founder Biz Stone to issue a statement. And, thus far, Stone has declined to be interviewed.

“Spam, malware, phishing, and other plagues of our industry are something we take seriously at Twitter,” Stone said in his statement. “Our dedicated, full-time Abuse and Safety team works 24 hours a day, 7 days a week conducting continuous automated and manual reviews of suspicious activities-appropriate measures are taken accordingly.

“As Twitter continues to grow into a significant communication and information network around the world, there will always be a need to battle abuse and maintain security,” he continued. “We understand that this job is never done so we are actively recruiting staff and developing tools to combat spam and enhance security.”

LastWatchdog asked several top security experts to comment on security risks posed by social nets in general and Twitter specifically. Below are excerpts from those interviews.

Aviv Raff, Tel Aviv-based independent researcher who is disclosing vulnerabilities in Twitter third-party apps. Twitter has become a great tool for communication. Many 3rd party services are now using Twitter and their developers are not aware that by developing insecure code, they not only expose their own users to threats like worms and malware, they also expose the entire Twitter community.

Twitter’s most problematic issue is their API. Even if they will fix all the vulnerabilities on their website, they still have many other third-party websites and applications which are using their API. So, if an attacker can find a vulnerability in one of those third-party services, they can use it against all other Twitter users.

Amit Klein, CTO, Trusteer. I doubt the vast majority of decision makers in corporate America are fully aware of the security implications associated with social networking/web 2.0 technologies like Twitter. The problem with Twitter and other social networking tools is that content is being pushed to users from a “trusted” source. Very few decision makers understand that the source cannot really be trusted since the account may be hijacked.

Millions of PCs are at risk due to the fuzzy trust relationships implied by social network sites and the third party service industry that surrounds them. I expect more high profile attacks to occur – perhaps ones in which corporate networks would be targeted. The problem scope is larger than malware infection.

It can be spam arriving from a Twitter feed which you follow, it can be fake messages that can drive company share value up or down, or it can affect the company brand name, reputation and market share. Once we have few of these, I believe we’ll start seeing more focus on securing corporations against social network-related threats.

Sean-Paul Correll, Threat Researcher, PandaLabs. Twitter attacks are the next iteration of Blackhat  SEO attacks (in which attackers cause bad URLs to turn up among the search results for popular search queries.) SEO attacks rely on the search engine to find the bad guys’ web pages and eventually direct users to the bad URLs.

But Twitter gives you real time, open dialogues with everyone in the world. So it’s a lot easier and quicker to spread a bad URL keyed to something that just happened in the news. It’s a lot easier to carry out and it’s a lot more in your face. People trust the links they see on Twitter. They view it as real time communication, and they assume goodness. They don’t ask if this person might be bad.

Stefan Tanase, Security Researcher, Kaspersky Lab Romania
. The problem is that most of the attacks rely on social engineering techniques, rather than drive-by downloads or other exploits, as it is much cheaper for the bad guys to set-up such malicious websites: they don’t need to buy a zero-day exploit for thousands of dollars.

All they need to do is to set-up a page that tricks the user into installing the malware by himself. And with the contextualized and personalized environment that Web 2.0 and Twitter brings, the effectiveness of these attacks is probably higher than it was ever.

I think Twitter should be encouraging their users to increase their level of security awareness. Users can help Twitter fight these malicious accounts. The simple block button not only blocks a malicious profile, but also alerts the Twitter admins that such an account has been blocked.

If more people block it, they will surely investigate and see what’s happening. Twitter should use their most valuable asset to fight the problem: its users. But they need to be educated, and what is happening now seems the exact opposite: the users are encouraged to blindly click on links that they don’t know where they’re going.

Panos Anastassiadis, CEO, Cyveillance. We have certainly seen a fair number of scareware applications pushed through (social networks.) We have also tracked a large number of Trojan downloaders, which install rootkits and keylogging malware. We are seeing anti-virus killers, porn dialers, rootkits and a variety of other malware categories. However, the most prevalent installed malware is the downloader.

These attacks are more effective then spam, as no email filters are involved; there are no advertising costs such as keyword placement; there is little to no effort needed in the SEO space and there are highly targeted and responsive recipients within in social media, such as Twitter.

At a minimum, consumers must remain cautious and only view tweets that are from trusted sources.Twitter should be inspecting hyperlinks submitted for a behavioral analysis to determine if malware is present, coupled with using domain whitelisting/blacklisting methods prior to allowing the URL to be posted.

Graham Cluley, Senior Technology Consultant, Sophos. Most companies we speak to are definitely aware of the problem – but are having to balance their desire to secure their network with demands from inside their organization that they use social networks to benefit the business.

One danger is that by completely denying staff access to their favorite social networking site, organizations will drive their employees to find a way round the ban (such as anonymising proxies) – and this could potentially open up even greater holes in corporate defenses.

The fact is that social networks are here to stay. If email and the web were invented today many IT managers might be tempted to ban them from their organization because of the security risks they bring with them, but we all recognize that that would be detrimental to business health. As social networks can bring benefits to companies, it becomes more sensible to ensure that users are protected while using them rather than banning them outright.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.