Attacks/Breaches
9/25/2012
11:20 AM
Connect Directly
RSS
E-Mail
50%
50%

Twitter Direct Messages Disguise Trojan App Attack

Compromised Twitter accounts send fake Facebook videos and Flash updates that trigger drive-by malware exploits.

Beware Twitter direct messages containing links.

That warning comes as Twitter users in recent days have reported seeing a flurry of direct messages--including warnings such as "you even see him taping u" and "your in this [Facebook.com page link] LoL"--that include a link, ostensibly to a video. The links, however, don't lead to a Facebook video featuring the recipient, but rather to a website that attempts to launch a drive-by exploit via the user's browser.

In some versions of the attack, for example, "users who click on the link are greeted with what appears to be a video player and a warning message that 'An update to Youtube player is needed,'" said Graham Cluley, senior technology consultant at Sophos, in a blog post. "The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer." The update in question, however, is really a Windows-compatible Trojan application known as Mdrop-EML. If the Trojan application successfully infects the PC, it will attempt to download additional attack modules onto the PC, as well as to copy itself to any local drives and network shares to which the PC has access.

In other words, when it comes to links supposedly shared by friends on social networks, stay wary. "The attack underlines the importance of not automatically clicking on a link just because it appeared to be sent to you by a trusted friend," said Cluley.

[ Are you at risk? Learn How Cybercriminals Choose Their Targets. ]

Of course, the bogus video attack is hardly the first malicious campaign to be launched via direct messages. Earlier this year, for example, an attack campaign used direct Twitter messages to ask, "Did you see this tweet about you?"--and included a link to a malicious website.

Meanwhile, attackers have been practicing similar techniques on Facebook for years, including one apparently non-stop spam campaign that's aimed at selling shoes. Adding insult to potential injury, after compromising an account, the spammers post a provocative picture--involving shoes--and "tag" friends of the accountholder as being the subject of the photo, all of which no doubt increases the page views for their advertising.

Still, has the volume of attacks launched via Twitter direct messages lately been increasing? In addition, just how are attackers compromising users' accounts? Twitter spokeswoman Rachel Bremer declined to address those specific questions. But via email, she said that "we are constantly working to keep users safe and provide tips for them on how to protect their accounts." For related information, she also pointed Twitter users to more information from Twitter about how to keep Twitter accounts secure, as well as general tips about how Twitter users can configure their accounts in advance to help them react quickly, should someone hack into their account.

What types of attacks should Twitter users be on the lookout for? Based on past attacks, some tried-and-true exploit techniques include tricking users into using malicious Facebook apps or toolbars of questionable nature. Attackers can also employ bots that take stolen email address/password combinations--often gleaned via public dumps of breached data--and automatically try them on other sites to see if they work. Last year, for example, Sony locked 93,000 accounts that had been accessed by attackers who'd reused email and password combinations stolen from an unknown, third-party website. In other words, users should beware reusing the same password on multiple websites.

Finally, any Twitter users whose accounts have been used to launch malicious direct messages should immediately change their account password and perform some account-related housekeeping. "If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password--make sure it is something unique, hard-to-guess and hard-to-crack--and revoke permissions of any suspicious applications that have access to your account," said Cluley.

Likewise, as noted in a recent story published in Slate, anyone who's clicked on one of the attack links in question should also immediately change their Twitter password immediately--just in case.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-3025
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

Best of the Web
Dark Reading Radio