Twitter attacks are latest refinement of Blackhat SEO trickery

twitter_spam1No one in the tech security world should be surprised that criminal exploitation of Twitter has commenced in earnest, as I’ve written in this story on page 1B of the July 6th print editions of USA TODAY.

Coding and social engineering techniques that spammers and malware purveyors have been refining and perfecting in the email realm over the past several years couldn’t mesh more smoothly into the world of social network messaging. And Twitter — the über popular Web 2.0 service that media companies can’t seem to hype enough — has presented cyber fraudsters with the attack vector of their dreams.

Anyone can sign up anonymously for a Twitter account and begin pushing unfiltered messages carrying tainted Web links — bad URLs — across the Internet. What’s more, Twitter has popularized the use of shortened URLs to enable users to point to Web pages in messages limited to 144 characters. It did not take cyber crooks long to discover that shortened URLs are most effective for disguising bad URLs.

LASTWATCHDOG: Tools you can use to Twitter more safely

And then there’s the sheen of trust social networks proactively engender. When it comes to repulsing  email spam and email viruses, we use robust filters and we’ve learned to mistrust unsolicited email that slips through the filters. But social networks are build around the notion that messages arrive mostly from your circle of close friends or from people you admire.

Message filtering in the social network realm has been limited essentially to requiring users to solve CAPTCHA puzzles to open a new account or to send messages with links. But the thriving cottage industry of CAPTCHA resolvers for hire, which I wrote about in this page 1A story, makes CAPTCHA solving a low hurdle for the bad guys.

Veil of trust

britney_spears_cropThere’s more. Twitter, in particular, has extended this veil of assumed trustworthiness to third party software developers, encouraging them to create cool add-on applications. Twitter makes it simple for any programmer to integrate creative new widgets, plug-ins, or Google mashups into your Twitter user logon. Attackers love this because third-party developers tend to pay little attention to security.

Case in point: hacks of third-party Twitter apps were central to recent breaches of the Twitter accounts of pop-diva Britney Spears and tech guru Guy Kawasaki. Using Spears’ stolen Twitter logon, an attacker Tweeted Spears’ 2.2 million followers that she had died; it was a hoax. Another attacker used Kawasaki’s stolen logon to Tweet links to a porn site to the tech guru’s 144,000 followers; this one was for profit.

Security experts expect a repeat of the pattern we’ve seen with corrupted email spam and tainted websites: Twitter attacks will increasingly spin off hacks of vulnerable third-party Twitter apps. And cyber criminals inevitably will being to spread much more malicious software, including programs that turns your PC into a bot, embeds a keystroke logger to steal your data, triggers endless scareware promotions or executes a banking Trojan to steal from your online accounts.

Corporate awareness, inaction

And yet, as this recent Websense survey  shows, corporations worldwide are racing to fold Twitter and popular social networking services into their business models. Of the 1,300 IT managers surveyed by Websense, some 86 percent said they were being pressured to allow access to Web 2.0 sites from senior execs in marketing, sales, finance, HR and even their own colleagues in IT departments. These Twitter-happy execs are either naïve — or big gamblers

Sophos survey of 710 IT managers

Sophos survey of 710 IT managers

Results of a Sophos survey of 710 IT pros indicates awareness of the threat among IT staff is high: 62.8 percent of firms surveyed said they were worried that their users are sharing too much info on social networks; while 66 percent believe that workers are putting their companies at risk by using social networks.

Twitter has taken the circle-the-wagons approach to public statements about what it is doing, or not doing. It took several emails and phone calls to get co-founder Biz Stone to respond by issuing a statement. And, thus far, Stone has declined to be interviewed.

Twitter co-founder issues a statement

“Spam, malware, phishing, and other plagues of our industry are something we take seriously at Twitter,” Stone said in his statement. “Our dedicated, full-time Abuse and Safety team works 24 hours a day, 7 days a week conducting continuous automated and manual reviews of suspicious activities-appropriate measures are taken accordingly.

“As Twitter continues to grow into a significant communication and information network around the world, there will always be a need to battle abuse and maintain security,” he continued. “We understand that this job is never done so we are actively recruiting staff and developing tools to combat spam and enhance security.”

LastWatchdog asked several top security experts to comment on security risks posed by social nets in general and Twitter specifically. Below are excerpts from those interviews.

Experts’ commentary

aviv_raff-crop1Aviv Raff, Tel Aviv-based independent programmer who has begun disclosing vulnerabilities in Twitter third-party apps. Twitter has become a great tool for communication. Many third-party services are now using Twitter and their developers are not aware that by developing insecure code, they not only expose their own users to threats like worms and malware, they also expose the entire Twitter community.

Twitter’s most problematic issue is their API. Even if they will fix all the vulnerabilities on their website, they still have many other third-party websites and applications which are using their API. So, if an attacker can find a vulnerability in one of those third-party services, they can use it against all other Twitter users.

amit_klein_cropAmit Klein, CTO, Trusteer. I doubt the vast majority of decision makers in corporate America are fully aware of the security implications associated with social networking/web 2.0 technologies like Twitter. Millions of PCs are at risk due to the fuzzy trust relationships implied by social network sites and the third party service industry that surrounds them.

I expect more high profile attacks to occur – perhaps ones in which corporate networks would be targeted. The problem scope is larger than malware infection. It can be spam arriving from a Twitter feed which you follow, it can be fake messages that can drive company share value up or down, or it can affect the company brand name, reputation and market share. Once we have few of these, I believe we’ll start seeing more focus on securing corporations against social network-related threats.

sean-paul-correll_cropSean-Paul Correll, Threat Researcher, PandaLabs. Twitter attacks are the next iteration of Blackhat  SEO attacks (in which attackers cause bad URLs to turn up among the search results for popular search queries.) SEO attacks rely on the search engine to find the bad guys’ web pages and eventually direct users to the bad URLs.

But Twitter gives you real time, open dialogues with everyone in the world. So it’s a lot easier and quicker to spread a bad URL keyed to something that just happened in the news. It’s a lot easier to carry out and it’s a lot more in your face. People trust the links they see on Twitter. They view it as real time communication, and they assume goodness. They don’t ask if this person might be bad.

stefan-tanase_crop1Stefan Tanase, Security Researcher, Kaspersky Lab Romania. The problem is that most of the attacks rely on social engineering techniques, rather than drive-by downloads or other exploits, as it is much cheaper for the bad guys to set-up such malicious websites: they don’t need to buy a zero-day exploit for thousands of dollars.

All they need to do is to set-up a page that tricks the user into installing the malware by himself. And with the contextualized and personalized environment that Web 2.0 and Twitter brings, the effectiveness of these attacks is probably higher than it was ever.

I think Twitter should be encouraging their users to increase their level of security awareness. Users can help Twitter fight these malicious accounts. The simple block button not only blocks a malicious profile, but also alerts the Twitter admins that such an account has been blocked.

If more people block it, they will surely investigate and see what’s happening. Twitter should use their most valuable asset to fight the problem: its users. But they need to be educated, and what is happening now seems the exact opposite: the users are encouraged to blindly click on links that they don’t know where they’re going.

dave-marcus_cropDave Marcus, Director of Security Research, McAfee Avert Labs. I don’t think companies have grasped the threat vector for Twitter at all; just like they don’t understand Web 2.0 threats in general. Right now they are few realized or actualized threats for Twitter in-the-wild, but much research is being directed at it. We have seen several worms, of the Java Script variety, and multiple hacks.

It’s not just Twitter, but applications associated with Twitter, like TwitPic, TwitWall or HootSuite. Anything that Twitter uses or makes Twitter easier to use will likely be targeted. We’ve already seen very malicious Twitter spam and the infamous Mikeyy worm.”

zulfikar_ramzan_crop1Zulfikar Ramzan, Technical Director, Symantec Security Response. With regard to social networking sites, the types of threats entering the corporate boundary are only one aspect of the problem. It is also entirely possible that employees might unintentionally leak sensitive corporate information via social networking sites, especially in an age where many people are not shy about divulging the details of what they are doing at any given moment in time.

It is surprising how few enterprises have a good sense of where their critical information assets lie, as well as how that information moves across the network. That includes not only information that an attacker is trying to steal, but also information that an otherwise well-meaning insider might be leaking either through a social networking channel or through some other means.

panos-anastassiadis_cropPanos Anastassiadis, CEO, Cyveillance. We have certainly seen a fair number of scareware applications pushed through (social networks.) We have also tracked a large number of Trojan downloaders, which install rootkits and keylogging malware. We are seeing anti-virus killers, porn dialers, rootkits and a variety of other malware categories. However, the most prevalent installed malware is the downloader.

At a minimum, consumers must remain cautious and only view tweets that are from trusted sources.Twitter should be inspecting hyperlinks submitted for a behavioral analysis to determine if malware is present, coupled with using domain whitelisting/blacklisting methods prior to allowing the URL to be posted.

graham-cluley_cropGraham Cluley, Senior Technology Consultant, Sophos. Most companies we speak to are definitely aware of the problem – but are having to balance their desire to secure their network with demands from inside their organization that they use social networks to benefit the business.

One danger is that by completely denying staff access to their favorite social networking site, organizations will drive their employees to find a way round the ban (such as anonymising proxies) – and this could potentially open up even greater holes in corporate defenses.

The fact is that social networks are here to stay. If email and the web were invented today many IT managers might be tempted to ban them from their organization because of the security risks they bring with them, but we all recognize that that would be detrimental to business health. As social networks can bring benefits to companies, it becomes more sensible to ensure that users are protected while using them rather than banning them outright.

jamz-yaneza_cropJamz Yaneza, Advanced Threat Researcher, Trend Micro. I firmly believe that companies are aware of the threat. However, it really comes down to educating the corporate end-users. If you think about it, Draconian blocking of content, instead of managing the flow,  could lead to use of anonymous proxies, client-side port tunneling — the list goes on.

Not only should desktops be part of that policy, but any device brought into the network and used such as kiosks, tablets, smart phones, etc. Social networks are not the whole online threat. However, given the rich, collaborative set of information one could glean,  it is not surprising that criminals have taken interest.

bogdan-dumitru_cropBogdan Dumitru, CTO, BitDefender. As of yet, there are few e-threats which target and exploit platforms like Twitter for the sake of the data within. The preferred target is still the personal computer, not data stored in the cloud. As you have noted, such social networks are mainly used to spread “classical” malware via drive-by-downloads or other such techniques. A consequence of this is that plain-vanilla internet security software is still highly effective in preventing data loss.

However, the problem of social network mediated spam and phishing attacks is still unsolved from a technical point of view. The obvious point of deployment for such a solution would be at the service provider, but client-side web filtering software would also help.  It also pays to remember that every point of a network is equally exposed – even with gateway filtering in place, workstation security is still a must.

dirk_knop_cropDirk Knop, Technical Editor, Avira. Social networks are a marketing instrument for most companies so they can’t simply close down the access to them. But they need to adopt their security policies to also cover the responsible usage of these networks if they haven’t already done so. They also need to prepare their infrastructure to cope with these web-threats. Such web filters at the internet gateways are in place in most companies already.

So most companies are already well prepared for the threats that stem from social networking. And for those who aren’t there are solutions available. Especially home users and small offices/home offices are more at risk – they should think about using a current antivirus solution with web threat protection if they don’t have such a solution yet.

dameon_welch_cropDameon Welch Abernathy, Security Expert, Check Point.  Given the number of social networking services and the various methods for accessing them, it may be difficult or impossible to entirely block access to these services.

A unique twist that is occurring on social networking sites is links that are hidden by URL shortening services. These services take a long URL and convert it into a “shorter” URL. This is useful on services like Twitter where each “tweet” can only be 140 characters. However, it also makes it difficult to visually evaluate a link to ensure it does not lead to a suspicious or malicious site.

Much like users should be careful of opening unsolicited email attachments, they should likewise be careful of links provided through social networking services-even if they come from “friends.” If the message that comes with a link seems at all suspicious, don’t click on the link.

dondebolt4_cropDon DeBolt, Research Director, CA. The most prudent of companies have established policy around social network access and have defined who within the company needs access to such resources. This ‘as needed’ approach enables the business to tap into the new medium but limits exposure to threats within the company at large.

But the bad guys are always one step ahead because they have the luxury of having to only find one vulnerability that can be exploited versus the good guys who have to protect against all known vulnerabilities. This puts the bad guys at a significant advantage and when this advantage is combined with a complex new medium such as social networking it places the Internet community at significant risk.

The challenge for companies is in quantifying that risk and enabling change to reduce the risk. Unfortunately in many cases it takes a disaster to force the implementation of proper controls to limit the risks. We can only hope that this is not the case with social networks and our corporate Internet citizens.

–Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone