Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    January 2015
    S M T W T F S
    « Dec    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jon Oliver (Senior Architect)

    In the two previous parts of this series of blog posts, we discussed the kinds of threats that we’re seeing on Twitter, as well as the scope and scale of these threats. In this part, we will discuss their motivations, and what end users can do.

    The first question is: why do cybercriminals bother doing this? Social media accounts are valuable in their own right. These accounts can typically be used to make money in many ways for cybercriminals; any form of personally identifiable information (PII) can be monetized by attackers.

    One way that stolen social media accounts are used is to send spam. One reason that social media spam can be considered superior to email spam is simple: more people click on links from social media than email. The click-through rate for email spam is estimated at anywhere from 0.003% to 0.02%. How does Twitter spam fare?

    It’s difficult to exactly compare numbers for the effectiveness of Twitter spam with those for e-mail spam. One measure we can use is the number of clicks we saw for every spammed Tweet. This varies depending on the type of abuse. Some Twitter spam campaigns could be spectacularly successful: one viral campaign aimed at Japanese users had a 0.269 clicks per Tweet. However, more typical rates varied from 0.01 clicks per Tweet for Twitter-specific spam to 0.03 for malware-linked Tweets. These numbers suggest that Twitter spam is more effective than conventional email spam.

    So now we’ve established that Twitter spam is a legitimate threat. How is Twitter responding? We are happy to say that this is a problem Twitter is getting on top of. Earlier this year, they disclosed the existence of BotMaker, their anti-spam bot infrastructure which has cut the spam problem by 40%. Other social networks can study Twitter as an example in how to deal with threats on their sites.

    For users, the lessons are clearer. First of all, do not believe any claims that you can buy followers/views/likes/friends/etcetera. The numbers you buy will almost certainly come from compromised accounts. This will bring no, or even negative value, towards your own social media efforts. Your own account may also be compromised in the process. Shortcuts to social media popularity don’t exist.

    Secondly, you should already be careful about clicking on links posted on social media in general, but be particularly careful about links that say that you have to log in again because your original log in timed out. Close your browser and start again; if you see the same message it’s almost certainly a phishing page.

    Lastly, if the social media services you use support it, turn on two-factor authentication. Just about all large online services today offer some support for two-factor authentication. Turning it on makes compromising your account much harder, as an attacker has to somehow compromise your phone as well. It’s not impossible – other Trend Micro research has shown how this can be done with online banking. However, it is still a useful security precaution to take against most attacks targeting social media.

    Posted in Social, Spam | Comments Off

    In the previous blog post of this series, I introduced our paper titled  An In-Depth Analysis of Abuse on Twitter  that looked at the threats in the Twitter landscape, and explained the various kinds of malicious tweets we’ve seen. In this post, we look at the scope and scale of these threats.

    Malware Tweets

    Users in the United States generally click the most links that go to malicious URLs from Twitter, whether it be phishing Tweets, Tweets with shortened URLs, or traditional spam. In one category, however, this was not the case. We identified a malware outbreak which was targeting users in Middle Eastern countries. Users in Saudi Arabia, Egypt, and Sudan clicked the most links from tweets that led to malware. The United States was only fourth in this tally:

    Figure 1. Countries clicking on Tweets leading to malware

    Twitter Phishing

    Twitter phishing is a threat that is well-known to many users. After all, many users frequently complain that their accounts have been “hacked”; in many cases these could be the result of phishing attacks.

    Twitter phishing uses features of Twitter to make the scheme more effective. Imagine that Alice was phished on day one. The next day, Alice may send a phishing message to her friend Bob, that would look like:

    @Bob lol this entry by you is cool short_{malicious domain}/123465

    If Bob clicks on this message, it will say his Twitter session has logged out – and that he needs to log in again. If he enters his username and password, then he has been phished. His account will then send messages to his friends, and so on.

    This phishing scheme was particularly effective at avoiding detection by the security researchers. Some characteristics which are used by this scheme include:

    • Use of URL shorteners
    • Use of complex infection chains, similar to those used by exploit kits
    • Links sent to users via Tweets from compromised accounts

    Some of the primary tools used by security researchers include honeypots, sandboxes and web reputation. These techniques are ineffective for several reasons, including:

    • the messages are unlikely to arrive in honeypots since the phish messages are sent from one legitimate user to another legitimate user;
    • this method tricks users into giving up their credentials so sandboxes are ineffective, and;
    • the use of shortened URLs and complex infection chains makes the use of web reputation technologies less effective.

    Figure 2. Sample infection chain

    We looked into the main phishing scheme attacking Twitter for a three-month period in 2014 from the March 1 to June 1. On peak days, more than 20,000 accounts would be used to send tweets with links to more than 13,000 distinct URLs.

    Since June, however, Twitter has largely got on top of this and the volume of Twitter specific phishing has been significantly reduced. Almost half of the victims of this scheme were located in the United States:

    Figure 3. Phishing victims

    Searchable Spam

    On Twitter, there is a large number of tweets offering services of a dubious nature, many of which infringe copyright. We have termed these tweets as “searchable spam’. Typically, these tweets are in Russian and advertise free movies, hacked games and software, etcetera. Social media attacks are frequently tailored towards specific target audiences. It’s something oaf a surprise, then, how much searchable Russian spam is accessed from outside Russia.

    Since these spam Tweets are thought to advertise illegal goods, it may well be that the reputation of the Russian underground may actually give these ads some credibility in the eyes of readers from outside Russia.

    Figure 4. Traffic to Russian-language Tweets

    Some of these attacks are more easily detected by Twitter and more likely to result in suspended accounts. We identified 17 distinct groups that took part in spam campaigns during the study period. Twitter was able to suspend almost 34,000 accounts from these groups, with some of them losing more than 90% of the accounts under their control.

    We have other findings listed in the paper, but these alone should be sufficient to show that malicious Tweets do exist on Twitter. However, any social network can be abused by cybercriminals and have to deal with malicious content on their site. In the third part of this blog series, we will look at what can be done to reduce these threats.

    Posted in Bad Sites, Social | Comments Off

    Twitter is an important means of communication for many people, so it shouldn’t be a surprise that it has become a medium that is exploited by cybercriminals as well. Together with researchers from Deakin University, we have released an in-depth paper titled An In-Depth Analysis of Abuse on Twitter that looks at the scale of this threat.

    To gather this information, we analyzed publicly accessible Tweets from a two-week period in 2013. Many of these we discarded, as they did not have any links. The majority of malicious Tweets contain some kind of malicious links, so we opted to focus on these alone.

    We ended up gathering more than 570 million Tweets in total. Of these, we identified that more than 33 million – 5.8% of the total – had links to malicious content of some kind of another. Malicious content does not necessarily mean only malware: it can also mean links to spammed advertisements and phishing pages, among other threats. The data collection period was during a period when there was significant spam outbreak.

    In practice, we identified several types of abuse on twitter, including:

    • Spam
    • Phishing
    • Links to malware
    • Accounts being stolen and suspended.

    There are two distinct flavors of spam – traditional spam that uses hash tags, is very obvious, repetitive, and quickly gets shut down.

    The second type is what we call “searchable spam”. Searchable spammed tweets are completely different. This is what they look like:

    Figure 1. Searchable tweets

    These tweets are, in some ways, more akin to classified ads. They are typically used to promote pirated or fake copies of various items like:

    • cracked software
    • free movies
    • gadget knockoffs
    • homework solutions

    Unlike the more “traditional” tweets, they did not make heavy use of hashtags. There is a strong Eastern European connection with these tweets as well: many are written in Russian, or hosted on servers in Russia or Ukraine.

    This threat is much more low-profile than other attacks, and it shows: the probability of Twitter suspending accounts involved in this activity is lower than accounts involved in other malicious activities. All this is designed to avoid users reporting these tweets (and accounts).

    In addition, half of the traffic to the sites advertised in these tweets don’t actually come from Russia. The users finding these tweets really are interested in what they “need”, even if they need automated translation tools to understand them.

    Twitter accounts themselves are valuable targets for cybercriminals. As a result, various scams that try to get the user credentials of users are common as well. For example, compromised accounts will mention their friends in tweets (or send direct messages), that ask the user to click on a (shortened) URL. This link will eventually lead users to phishing pages that ask for the user’s Twitter account credentials.

    Another way to gain access to Twitter accounts is the well-known follower scam. These scams lure users under the promise of more followers. Instead, they give attackers access to the user’s Twitter account.

    In future posts, we will look at the regional differences in Twitter abuse, as well as possible solutions to the threat.

    This research was supported by ARC Linkage Project LP120200266.

    Posted in Social | Comments Off

    Recently, I received a rather unusual call that claimed to be from National Australia Bank (NAB), one of the four largest banks in Australia. The caller had my complete name and my address. They claimed that they had flagged a suspicious transaction from my account to an Alex Smith in New Zealand to the tune of 700 Australian dollars. They needed my NAB number to confirm if the transaction was legitimate.

    There was just one problem with this seemingly plausible call: I wasn’t an NAB customer. I offered to call them back – and when I did so, they simply hung up on me.

    These sorts of calls are not the only threats that arrive via phone – for example, fake “support” calls that are supposedly from Microsoft that offer to remove malware from user PCs are sadly commonplace. To most users who simply go about their daily lives, these calls can sound quite convincing and can cause a lot of problems.

    However, this is something of a teachable moment when it comes to these attacks. We tend to think of different security problems as unrelated, but more often than not they can be related. For example, whoever was behind this scam knew enough to match my name to my address and my phone number. While I didn’t have an NAB credit card now, I did have one several years ago.

    How did they get that all that information? We don’t know. However, it’s very possible that somebody somewhere had a data breach. They may not have known about it, or they may have decided that since the information “wasn’t critical” – say, they didn’t have my credit card or banking credentials – that it was harmless. However, now you can see how seemingly “harmless” information can be used to carry out real fraud.

    Since last year, we’ve been pointing out the huge gains in banking malware. Just as support scams can be thought of as a “real-world” equivalent to ransomware and fake antivirus, so can these sort of phishing calls be the equivalent of these banking malware threats.

    These threats should serve as a wake-up call that good security is the responsibility of everyone – consumers should try to learn how not to be fooled by these scams, and enterprises should take their own security seriously – particularly when it comes to user data.

    Posted in Social | Comments Off

    Recently Google announced that it had changed its policy dealing with images in email. In a blog post on the official Gmail blog, Google said:

    [You’ll] soon see all images displayed in your messages automatically across desktop, iOS and Android. Instead of serving images directly from their original external host servers, Gmail will now serve all images through Google’s own secure proxy servers.

    Simply put, this means that all pictures in emails will now be automatically displayed. Instead of being served directly from the site hosting the image, however, they will be given a copy that has been scanned by Google.

    Officially, the stated rationale for this change is that previously, senders “might try to use images to compromise the security of your computer”, and that with the change images will be “checked for known viruses or malware”. This change affects users who access Gmail via their browser, or the official iOS and Android apps.

    In the past, there have been occasions where malicious images were used to compromise computers. A number of image formats were exploited in 2005 and 2006, including a Windows Metafile vulnerability (MS06-001), and an Office vulnerability that allowed arbitrary code execution (MS06-039). More recently, a vulnerability in how TIFF files were handled (MS13-096) was found and not patched until the December Patch Tuesday cycle. Properly implemented, scanning the images would be able to prevent these attacks from affecting users.

    However, actual exploitation of these vulnerabilities has been relatively uncommon. Exploit kits have opted to target vulnerabilities in Flash, Internet Explorer, Java, and Reader instead. Image vulnerabilities are not even listed in the control panels of these kits.

    The primary reason to block images is not to block malware, but to stop information leakage. Images are used by spammers and attackers to track if/when email has been read and to identify the browser environment of the user. Email marketers also use this technique to check how effective their email campaigns are.

    Email marketers have already confirmed that in spite of Google’s moves, email tracking is still very possible. Google’s proposed solution (a web proxy that checks images for malware images) appears to solve a small security problem (malicious image files), while leaving at risk user’s security and privacy. Attackers still have the capability to track that users have read email–and to learn aspects of their browser environment.

    Users can still revert to the previous behavior via their Gmail settings, as outlined in Google’s blog post:

    Of course, those who prefer to authorize image display on a per message basis can choose the option “Ask before displaying external images” under the General tab in Settings. That option will also be the default for users who previously selected “Ask before displaying external content”.

    We strongly recommend that users change this setting for their accounts. Users who access Gmail via POP3 or IMAP should check the settings of their mail application to control the display of images.

    Posted in Bad Sites | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice