Following the thread Networking hacks: Top 10 Facebook and Twitter security stories of 2009. Twitter, with more than 44 million unique users, is a juicy channel where individuals and organizations dedicated to on-line fraud co-exist in a varied ecosystem.

We think it would be interesting to highlight some of the fraudulent uses for Twitter:

1) Phishing in Twitter: Phishing not only targets banking and payment services, like Paypal. Any popular service can be exposed to this threat, not only to get the Twitter account, but also to get a chance to access other services using the public profile.

Advice: give to the credentials of all services the same importance as to on-line banking credentials. Do not use the same password for more than one service, and pay attention to the log-in page URL.

URLs used for Phishing in Twitter (already taken down)::


2) Social engineering: Social engineering is one of the most dangerous weapons of cyber-criminals, and also one of the most efficient. Koobface jumped into Twitter in July 2009. Tweets with random strings started to appear, like: “WOW”, “LOL”, “:)” with links to download an update for Flash player. Of course, this “update” had malware. The situation gets worse with URL shortening, which can also be used for hiding the URLs. The clickjacking vulnerability used this weapon too.

3) SPAM: The accounts created for this purpose are characterized by a big difference between the numbers of followers and followed; there are much more followed than followers.
This message was posted last week:

A quick glance to the mentioned profile shows the difference between the number of followers and a continuous wave of similar messages:

The user asking for this profile was a follower of the spammer. We don’t know if this was due to ignorance, or because the user had been a victim to something similar to what’s described on point 5.

Advice: Follow @spam and report any suspicious activity like this. Review once in a while whom you’re following, and make sure you subscribed manually to them.

4) Inappropriate use of Apps in Twitter: Applications (APPS) are for Twitter like petrol for a car; without them, it wouldn’t make sense. But we must be careful with them. Only those using the Oauth protocol should be trusted. Twitter made it public on March 2009 so that the apps developers could make the users’ life easier. This way, the services using Twitter do not need to ask for a user name and password. If we confirm that we trust the application, we get automatically authenticated.

5) Get more followers: These services are abundant in Twitter, and they don’t reveal their evil dark methods. They just show the results. We were curious about these accounts, so we created a user to test them. The result was:
  • 2 weeks
  • 491 followed
  • 5 tweets
So, we created the account, subscribed to a “Get more followers” service that asked for Twitter’s user name and password (see previous point), which we kindly gave. Next, a wave of DMs (direct messages) came, with hundreds of URLs. These messages come from users that have been victims to this scam, and their only aim is promoting dubious services. We were also offered an exclusive paid service that we didn’t accept.

Adicionalmente, we analyzed the URLs sent through DMs, as well as the first five hundred results after searching “consigue más followers” (get more followers). Our objective was searching drive-by download attacks, by means of which users browsing with outdated software can be victim of multiple attacks when visiting a website.

Only three URLs gave positive results in the test, but they were discarded because we realized they were actually false positives.
(see also point 1.)

6) A new channel for botnets: This technique doesn’t affect directly Twitter users, but nevertheless it should be noted that Twitter is now a new channel for botnets.

7) New source for malware: Like the previous one, this technique doesn’t affect directly the users, but it puts on the table its significant virality and how juicy can be social engineering attacks, like the creation of an iframe domain with Twitter Trends for the Trojan Sinowal.

8) Brand / identity theft: Without mentioning any specific company, it’s clear that there have been cases of brand theft and misuse of corporate logos in Twitter, a war similar to that between domain names. To avoid identity theft, Twitter launched in mid-2009 the new feature called verified account.

9) Worms in Twitter: XSS has become rather popular recently, although only sporadically. This technique was used in Twitter so that any logged-in user could write messages chosen by the attacker by just clicking on a link. Rather than to XSS, this action corresponds to a CSRF attack, less known, but equally or more dangerous (see also point 2).

10) Spreading and virality of rumors: We have spoken in this blog about the pump&dump technique – in relation with financing operations. Twitter has already been used to spread financial panic.

Twitter’s guidelines to keep your account secure.

Mikel Gastesi (@mgastesi)
Emilio Casbas (@ecasbas)
S21sec e-crime

10 fraudulent uses for Twitter

Following the thread Networking hacks: Top 10 Facebook and Twitter security stories of 2009. Twitter, with more than 44 million unique users, is a juicy channel where individuals and organizations dedicated to on-line fraud co-exist in a varied ecosystem. We…

Leer más

New advances in the fight against SPAM

Good news in relation with the fight against on-line fraud. Looks like, at last, the time has arrived for domain registrars to start the first decisive steps against the black market of fake medicines and the like.The regulation for domain…

Leer más

The (not much) sensitivity of some

Yesterday we woke up with sad news about Patrick Swayze’s passing away. However, some people were already prepared for doing bussiness with this event. I am not talking about journalists trying to be the first to carry the report of…

Leer más