Hackers tweet, infect Twitter users with scareware
'Security nightmare' arrives; hackers use exploit kit to spread fake security software
Computerworld - The latest attack to hit Twitter is a "security nightmare" and marks the first time hackers have taken to using the micro-blogging site for profit, a researcher said today.
Unlike earlier cross-site scripting attacks on Twitter, the latest wasn't a worm, said Roel Schouwenberg, a senior antivirus researcher with Moscow-based Kaspersky Labs. Instead, it's something even scarier: The first instance of hackers serving up "scareware," fake security software that, once installed, nags users with so many alerts that some fork over $50 or more just to "register" the program and get rid of the warnings.
"This is just another scareware installer," Schouwenberg said, referring to the malware that's downloaded onto victimized PCs. "There's no worm component. But it's quite significant as it's the first time that Twitter's been used for a traditional type of attack."
Over the weekend, Twitter users began receiving tweets with the phrase "Best Video" and a link to a Russian domain. Although those who clicked on the link were directed to a site with a video, they were also served a malicious PDF document via an IFRAME on that site. The PDF, said Schouwenberg, contains a number of exploits, and tries each in turn. If it's able to compromise the computer using one of those exploits, the malware then installs phony security software.
Twitter's not able to remove any malware installed by the attacks, of course, leaving that chore up to users.
Schouwenberg's sure that Twitter's talk of cleaning accounts was a smokescreen, as unlike attacks in April, this one wasn't a worm. "There was no self-replicating code in the binary," he said. Instead, Schouwenberg believes that the malicious tweets were sent from Twitter accounts whose log-on credentials had been hijacked previously by basic phishing-style scams.
"When I first saw this Saturday night, I thought of the Twitter phishing attack, which was quite high profile," said Schouwenberg. "Phishing always has a greater purpose ... so when all of a sudden you see a new 'worm' but there's no worm component [in the attack code], it's clear that this was based on compromised accounts, rather than self-replicating."
Schouwenberg also found the links in the malicious tweets on multiple Web forums, giving credence to his theory that hijacked accounts were used to launch the scareware attack.
Twitter users should expect to see more such attacks, Schouwenberg said. "The whole idea of Twitter is to click on links," he said. "It's a security nightmare."
- Twitter brings the data back in-house with Gnip buy
- Twitter crashed -- again -- on Tuesday
- Twitter's slipping user growth spooks investors
- Get ready to tweet your questions for Twitter's first earnings call
- Super Bowl sets Twitter record, as Volkswagen launches social war room
- Perspective: Twitter's success opens up IPO pipeline
- Update: Twitter goes public at $45 a share
- With IPO cash influx, Twitter could be bigger threat to Facebook
- Ahead of IPO, Twitter shines up multimedia image
- Twitter kicks off pre-IPO investor roadshow
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts