Scammers auto-generate Twitter accounts to spread scareware
They use bogus accounts, real tweets, to dupe people into installing fake antivirus software
Computerworld - Scammers are increasingly using machine-generated Twitter accounts to post messages about trendy topics, and tempt users into clicking on a link that leads to servers hosting fake Windows antivirus software, security researchers said Monday.
The latest Twitter attacks originated with malicious accounts cranked out by software, said experts at both F-Secure and Sophos. The accounts, which use variable account and user names, supposedly represent U.S. Twitter users. In some cases, the background wallpaper is customized for each account, yet another tactic to make the unwary think that a real person is responsible for the content.
Tweets from those accounts are also automatically generated, said Sean Sullivan, a security advisor with the North American labs of Helsinki-based F-Secure. Some of the tweets exploit Twitter's current "Trending Topics," the constantly-changing top 10 list of popular tweet keywords that the micro-blogging service posts on its home page. Others are repeats of real tweets.
All the tweets include links to sites that try to dupe users into downloading and installing bogus security software, often called "scareware" because they fool users with sham infection warnings, then provide endless pop-ups until people pay $40 to $50 to buy the useless program.
"As fast as Twitter can shut down the accounts, [the scammers] create new accounts," said Sullivan. "Somehow they're getting around the CAPTCHA, but how they're doing it, whether with a bot or by CAPTCHA farms, we don't know."
CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) is the technology that uses distorted, scrambled characters to block automated registration of accounts. The defense, however, has regularly been subverted by hacker-built software, or by humans who contract to decipher the characters manually.
"There's nothing cookie-cutter about these accounts," noted Sullivan, who added that scareware scammers aren't afraid to spend money to make money.
There's a lot of the latter to be had. Last year, botnet researcher Joe Stewart of SecureWorks said there was evidence some hackers were making as much as $5 million a year shilling scareware.
"A lot of these scareware campaigns don't last 24 hours," said Beth Jones, a threat researcher at U.K.-based Sophos. "By the time a [distribution] site is blocked, they've already moved on to something else."
The servers hosting the phony security software behind the Twitter attacks are located in Toronto, said Jones, who said Sophos had been monitoring those systems since June.
Because the scareware tweets use a URL shortening service -- as do most tweets to crowd as much as possible into Twitter's 140-character limit -- it's impossible for users to tell exactly where the link will take them. Jones suggested that users access Twitter with a third-party application, such as TweetDeck, which offers a URL previewer to show the actual destination. Unfortunately, the scammers are using the Metamark shortening service; TweetDeck doesn't support previews for Metamark.
"Scammers are using Twitter because it's a new conduit for spreading their scareware," said Jones. "They go where the money is, which means where people are, and people are on Twitter."
By late Monday, Twitter had deleted the machine-generated accounts spreading scareware that Sophos and F-Secure had revealed, but some tweets with the same malicious URL were still available on the service.
Read more about Security in Computerworld's Security Topic Center.
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!