Following the thread Networking hacks: Top 10 Facebook and Twitter security stories of 2009. Twitter, with more than 44 million unique users, is a juicy channel where individuals and organizations dedicated to on-line fraud co-exist in a varied ecosystem.
We think it would be interesting to highlight some of the fraudulent uses for Twitter:
1) Phishing in Twitter
: Phishing not only targets banking and payment services, like Paypal. Any popular service can be exposed to this threat, not only to get the Twitter account, but also to get a chance to access other services using the public profile.
Advice: give to the credentials of all services the same importance as to on-line banking credentials. Do not use the same password for more than one service, and pay attention to the log-in page URL.
URLs used for Phishing in Twitter (already taken down):
The accounts created for this purpose are characterized by a big difference between the numbers of followers and followed
; there are much more followed than followers.
This message was posted last week:
A quick glance to the mentioned profile shows the difference between the number of followers and a continuous wave of similar messages:
The user asking for this profile was a follower of the spammer. We don’t know if this was due to ignorance, or because the user had been a victim to something similar to what’s described on point 5.
Advice: Follow @spam and report any suspicious activity like this. Review once in a while whom you’re following, and make sure you subscribed manually to them.
4) Inappropriate use of Apps in Twitter: Applications (APPS) are for Twitter like petrol for a car; without them, it wouldn’t make sense. But we must be careful with them. Only those using the Oauth protocol should be trusted. Twitter made it public on March 2009 so that the apps developers could make the users’ life easier. This way, the services using Twitter do not need to ask for a user name and password. If we confirm that we trust the application, we get automatically authenticated.
5) Get more followers: These services are abundant in Twitter, and they don’t reveal their
evil dark methods. They just show the results. We were curious about these accounts, so we created a user to test them. The result was:
- 2 weeks
- 138 followers
- 491 followed
- 5 tweets
So, we created the account, subscribed to a “Get more followers” service that asked for Twitter’s user name and password (see previous point), which we kindly gave. Next, a wave of DMs (direct messages) came, with hundreds of URLs. These messages come from users that have been victims to this scam, and their only aim is promoting dubious services. We were also offered an exclusive paid service that we didn’t accept.
Adicionalmente, we analyzed the URLs sent through DMs, as well as the first five hundred results after searching “consigue más followers” (get more followers)
. Our objective was searching drive-by download attacks
, by means of which users browsing with outdated software can be victim of multiple attacks when visiting a website.
Only three URLs gave positive results in the test, but they were discarded because we realized they were actually false positives.
(see also point 1.)
6) A new channel for botnets
: This technique doesn’t affect directly Twitter users, but nevertheless it should be noted that Twitter is now a new channel for botnets
7) New source for malware
: Like the previous one, this technique doesn’t affect directly the users, but it puts on the table its significant virality and how juicy can be social engineering attacks, like the creation of an iframe domain with Twitter Trends for the Trojan Sinowal
8) Brand / identity theft
: Without mentioning any specific company, it’s clear that there have been cases of brand theft and misuse of corporate logos in Twitter, a war similar to that between domain names. To avoid identity theft, Twitter launched in mid-2009 the new feature called verified account
9) Worms in Twitter
: XSS has become rather popular recently
, although only sporadically
. This technique
was used in Twitter so that any logged-in user could write messages chosen by the attacker by just clicking on a link. Rather than to XSS, this action corresponds to a CSRF attack, less known, but equally or more dangerous (see also point 2).
10) Spreading and virality of rumors:
We have spoken in this blog about the pump&dump technique
– in relation with financing operations. Twitter has already been used to spread financial panic
Twitter’s guidelines to keep your account secure.
Mikel Gastesi (@mgastesi)
Emilio Casbas (@ecasbas)