Twitter Abuse Growing Rampant

By Matthew Hines  |  Posted 2009-09-30 Print this article Print

Social networks are rapidly becoming a primary channel to market for malware distributors and other cyber-criminals as the use of popular sites such as Twitter continues to take off, and the communications vehicles subsequently create new opportunities for attackers to hide their threats using features such as so-called link shorteners.

Attackers have been working to infiltrate and abuse social networks for years, but the issue is becoming truly pervasive nowadays as they shift even more of their efforts away from more traditional electronic messaging systems and distribute a greater share of their nefarious content over so-called Web 2.0 sites, in particular Twitter, according to Symantec security researcher Ben Nahorney.

The distribution of malware infection links over Twitter has become particularly problematic of late, Nahorney noted in a recent blog post. Since the 140 character limit for posts to made over micro-blogging platform has lead to widespread use of URL-shorteners obscure address details, and even savvy users of Twitter are likely taking bigger risks, the implication appears to be.

Cyber-criminals are also currently flocking to social networking sites based on the sheer availability of victims, based on Symantec's current observations. In the last week alone, new attack models have materialized on Twitter, including a campaign promising links to videos of the involved targets sent from the hacked accounts of contacts with whom they are connected.

Rather than passing along the clips they promise, the attacks present users with a legitimate-looking Twitter log-in page that instead phishes end users' account details, and in some cases attempts to download a variant of the Koobface botnet program, which has been distributed heavily over social networks.

URL-shorteners present a near perfect opportunity for attackers to suck in new victims, particularly when used in such a targeted manner, based on the fact that their job is essentially to hide and manipulate Web address data, something attackers have already trying to get away with for years.

Combined with other classic social engineering techniques, many users are likely falling for the campaigns based on their trust of fellow users and a lack of any system with which to quickly validate the security of the obfuscated URLs, according to the Symantec expert.

"Clicking any link like this is entirely a security leap of faith," said Nahorney. "Unfortunately malware authors have caught on to this and are currently distributing misleading applications using these shortened URLs. Using enticing tweets and commonly used Twitter search terms, their goal is to get other users to click on their links, leading to malicious code."

"While the misleading applications currently being served up in this manner all seem look very similar today, we're likely to see more variety in the future," he said.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel