Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Twitter Direct Messages Disguise Trojan App Attack

Compromised Twitter accounts send fake Facebook videos and Flash updates that trigger drive-by malware exploits.

Beware Twitter direct messages containing links.

That warning comes as Twitter users in recent days have reported seeing a flurry of direct messages--including warnings such as "you even see him taping u" and "your in this [Facebook.com page link] LoL"--that include a link, ostensibly to a video. The links, however, don't lead to a Facebook video featuring the recipient, but rather to a website that attempts to launch a drive-by exploit via the user's browser.

In some versions of the attack, for example, "users who click on the link are greeted with what appears to be a video player and a warning message that 'An update to Youtube player is needed,'" said Graham Cluley, senior technology consultant at Sophos, in a blog post. "The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer." The update in question, however, is really a Windows-compatible Trojan application known as Mdrop-EML. If the Trojan application successfully infects the PC, it will attempt to download additional attack modules onto the PC, as well as to copy itself to any local drives and network shares to which the PC has access.

In other words, when it comes to links supposedly shared by friends on social networks, stay wary. "The attack underlines the importance of not automatically clicking on a link just because it appeared to be sent to you by a trusted friend," said Cluley.

[ Are you at risk? Learn How Cybercriminals Choose Their Targets. ]

Of course, the bogus video attack is hardly the first malicious campaign to be launched via direct messages. Earlier this year, for example, an attack campaign used direct Twitter messages to ask, "Did you see this tweet about you?"--and included a link to a malicious website.

Meanwhile, attackers have been practicing similar techniques on Facebook for years, including one apparently non-stop spam campaign that's aimed at selling shoes. Adding insult to potential injury, after compromising an account, the spammers post a provocative picture--involving shoes--and "tag" friends of the accountholder as being the subject of the photo, all of which no doubt increases the page views for their advertising.

Still, has the volume of attacks launched via Twitter direct messages lately been increasing? In addition, just how are attackers compromising users' accounts? Twitter spokeswoman Rachel Bremer declined to address those specific questions. But via email, she said that "we are constantly working to keep users safe and provide tips for them on how to protect their accounts." For related information, she also pointed Twitter users to more information from Twitter about how to keep Twitter accounts secure, as well as general tips about how Twitter users can configure their accounts in advance to help them react quickly, should someone hack into their account.

What types of attacks should Twitter users be on the lookout for? Based on past attacks, some tried-and-true exploit techniques include tricking users into using malicious Facebook apps or toolbars of questionable nature. Attackers can also employ bots that take stolen email address/password combinations--often gleaned via public dumps of breached data--and automatically try them on other sites to see if they work. Last year, for example, Sony locked 93,000 accounts that had been accessed by attackers who'd reused email and password combinations stolen from an unknown, third-party website. In other words, users should beware reusing the same password on multiple websites.

Finally, any Twitter users whose accounts have been used to launch malicious direct messages should immediately change their account password and perform some account-related housekeeping. "If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password--make sure it is something unique, hard-to-guess and hard-to-crack--and revoke permissions of any suspicious applications that have access to your account," said Cluley.

Likewise, as noted in a recent story published in Slate, anyone who's clicked on one of the attack links in question should also immediately change their Twitter password immediately--just in case.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21196
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.