How account stealers pervert trust in Twitter’s single sign-on capability

The cybercriminals behind the intensifying phishing scam that has been plaguing Twitter since late last week are proving how easy it is to pervert the trust social networks like Twitter and Facebook along with search giant Google have made a cornerstone of their respective business models.

These tech giants are making it easy for the best-and-brightest third-party developers to create clever apps that tie directly into their respective platforms.

The idea is to get Web users accustomed to using their Twitter, or Gmail or Facebook credentials as  a “single sign-on” to access the Web’s coolest apps.

But a clever cybergang has found a gaping security weakness in the  single sign-on approach, as recently  discovered by network security firm eSoft.  Since late  last Thursday, this gang has been  sending out microblog postings — Tweets — from legit Twitter accounts. These Tweets have been luring thousands of people into clicking to a hot, new web service that purportedly  will instantly get them 50 to 100 more followers.

Click to one of these links, and you’ll be guided to a  landing page that will ask you to type in your all-purpose, single sign-on Twitter username and password in order to access the service for free, says Lee Graves, eSoft threat communications specialist.

This is the power of single sign-on. But it’s also a security weakness. As the screenshot below shows, it’s all too easy to direct trusting users to a slick, counterfeit payoff phishing page like this one:

From this payoff page, your credentials get routed directly to the bad guys. The crooks then use an automated script that instantly uses your username and password to log into your account. From your account, they commence to blasting out a Tweet with a variation of the same ruse to all of your  followers.

The script repeats this task every 3 hours or so,  automatically changing e the associated web link each time to escape filtering, says Graves. The technique is proving to be very effective, which means it will be emulated.

“This is by far the biggest type of attack like this that we’ve seen, in terms of how many people are getting affected and getting their accounts hacked,” says Graves.

The attack continues to accelerate.  For the moment, the gang appears to be intent primarily on amassing a trove of valid Twitter account user names and passwords. ESoft today briefly tallied Tweets controlled by the gang. In 30 minutes, eSoft  confirmed over 4,000 compromised accounts and climbing.

What’s more, the bad guys’ landing pages feature  blocks of Google advertising, as shown in the screen shot below:

It appears that the bad guys are also getting paid for the Google advertisements published on their phishing pages,  says  Patrick Walsh, eSoft’s chief technology officer.

“Google offers advertisers both cost per click (CPC) and cost per 1000 impressions (CPM) ads,” says Walsh.  “I can’t tell whether the ads on their pages are CPM or CPC, but either way, driving traffic to the website is likely making the perpetrators money.”

There is little stopping the attackers from subsequently using their cleverly- harvested Twitter accounts to blast out spam for worthless drugs or antivirus subscriptions. They might also spam out links to tainted web pages carrying infections that turn over control of the PC to the bad guys.

These attackers appears to be at the vanguard of cybercriminals who are fast developing a specialized expertise. They are devising ways to profit from the  push by Facebook, Google and Twitter to eliminate privacy as a cultural norm. The tech giants want to flush out everything there is to know about Internet users, the better to sell online advertising.

Two tactics used by these attackers expose the soft underbelly of this push to eliminate privacy. First, like other data stealing ruses aimed at the messaging systems of popular social networks, this attack — like the infamous Koobface worm –  relies on the message seemingly being sent by a familiar source.

Secondly, Twitter has trained its members to get into the habit of freely using their Twitter logons to access of third-party applications for hundreds of clever online services.  Twitter users are comfortable using their Twitter credentials as a trusted single sign-on to try out new online services.

Google and Facebook both are heavily promoting single sign-on, using their respective platforms as the launching point for all things cool on the Web.  Trust is a linchpin. So far consumers by-and-large trust this single sign-on approach. But this attack shows how easily that trust can be perverted. No one should be surprised when variations on this theme turn up in weeks and months to come.

“Given the success of this attack, Twitter users now need to be cautious and guarded about giving out their Twitter username and password to access these third party apps,” says Walsh. “This is an extremely viral campaign that’s spreading rapidly.”

If you suspect your account has been compromised, change your password as quickly as possible. This will stop the bad guys from using your account.

LastWatchdog reached out to Twitter spokesman Sean Garrett for comment. We’ll let you know when he gets back to us.

–By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone