Attacks/Breaches
9/25/2012
11:20 AM
50%
50%

Twitter Direct Messages Disguise Trojan App Attack

Compromised Twitter accounts send fake Facebook videos and Flash updates that trigger drive-by malware exploits.

Beware Twitter direct messages containing links.

That warning comes as Twitter users in recent days have reported seeing a flurry of direct messages--including warnings such as "you even see him taping u" and "your in this [Facebook.com page link] LoL"--that include a link, ostensibly to a video. The links, however, don't lead to a Facebook video featuring the recipient, but rather to a website that attempts to launch a drive-by exploit via the user's browser.

In some versions of the attack, for example, "users who click on the link are greeted with what appears to be a video player and a warning message that 'An update to Youtube player is needed,'" said Graham Cluley, senior technology consultant at Sophos, in a blog post. "The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer." The update in question, however, is really a Windows-compatible Trojan application known as Mdrop-EML. If the Trojan application successfully infects the PC, it will attempt to download additional attack modules onto the PC, as well as to copy itself to any local drives and network shares to which the PC has access.

In other words, when it comes to links supposedly shared by friends on social networks, stay wary. "The attack underlines the importance of not automatically clicking on a link just because it appeared to be sent to you by a trusted friend," said Cluley.

[ Are you at risk? Learn How Cybercriminals Choose Their Targets. ]

Of course, the bogus video attack is hardly the first malicious campaign to be launched via direct messages. Earlier this year, for example, an attack campaign used direct Twitter messages to ask, "Did you see this tweet about you?"--and included a link to a malicious website.

Meanwhile, attackers have been practicing similar techniques on Facebook for years, including one apparently non-stop spam campaign that's aimed at selling shoes. Adding insult to potential injury, after compromising an account, the spammers post a provocative picture--involving shoes--and "tag" friends of the accountholder as being the subject of the photo, all of which no doubt increases the page views for their advertising.

Still, has the volume of attacks launched via Twitter direct messages lately been increasing? In addition, just how are attackers compromising users' accounts? Twitter spokeswoman Rachel Bremer declined to address those specific questions. But via email, she said that "we are constantly working to keep users safe and provide tips for them on how to protect their accounts." For related information, she also pointed Twitter users to more information from Twitter about how to keep Twitter accounts secure, as well as general tips about how Twitter users can configure their accounts in advance to help them react quickly, should someone hack into their account.

What types of attacks should Twitter users be on the lookout for? Based on past attacks, some tried-and-true exploit techniques include tricking users into using malicious Facebook apps or toolbars of questionable nature. Attackers can also employ bots that take stolen email address/password combinations--often gleaned via public dumps of breached data--and automatically try them on other sites to see if they work. Last year, for example, Sony locked 93,000 accounts that had been accessed by attackers who'd reused email and password combinations stolen from an unknown, third-party website. In other words, users should beware reusing the same password on multiple websites.

Finally, any Twitter users whose accounts have been used to launch malicious direct messages should immediately change their account password and perform some account-related housekeeping. "If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password--make sure it is something unique, hard-to-guess and hard-to-crack--and revoke permissions of any suspicious applications that have access to your account," said Cluley.

Likewise, as noted in a recent story published in Slate, anyone who's clicked on one of the attack links in question should also immediately change their Twitter password immediately--just in case.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.