Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Twitter Direct Messages Disguise Trojan App Attack

Compromised Twitter accounts send fake Facebook videos and Flash updates that trigger drive-by malware exploits.



Beware Twitter direct messages containing links.

That warning comes as Twitter users in recent days have reported seeing a flurry of direct messages--including warnings such as "you even see him taping u" and "your in this [Facebook.com page link] LoL"--that include a link, ostensibly to a video. The links, however, don't lead to a Facebook video featuring the recipient, but rather to a website that attempts to launch a drive-by exploit via the user's browser.

In some versions of the attack, for example, "users who click on the link are greeted with what appears to be a video player and a warning message that 'An update to Youtube player is needed,'" said Graham Cluley, senior technology consultant at Sophos, in a blog post. "The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer." The update in question, however, is really a Windows-compatible Trojan application known as Mdrop-EML. If the Trojan application successfully infects the PC, it will attempt to download additional attack modules onto the PC, as well as to copy itself to any local drives and network shares to which the PC has access.

In other words, when it comes to links supposedly shared by friends on social networks, stay wary. "The attack underlines the importance of not automatically clicking on a link just because it appeared to be sent to you by a trusted friend," said Cluley.

[ Are you at risk? Learn How Cybercriminals Choose Their Targets. ]

Of course, the bogus video attack is hardly the first malicious campaign to be launched via direct messages. Earlier this year, for example, an attack campaign used direct Twitter messages to ask, "Did you see this tweet about you?"--and included a link to a malicious website.

Meanwhile, attackers have been practicing similar techniques on Facebook for years, including one apparently non-stop spam campaign that's aimed at selling shoes. Adding insult to potential injury, after compromising an account, the spammers post a provocative picture--involving shoes--and "tag" friends of the accountholder as being the subject of the photo, all of which no doubt increases the page views for their advertising.

Still, has the volume of attacks launched via Twitter direct messages lately been increasing? In addition, just how are attackers compromising users' accounts? Twitter spokeswoman Rachel Bremer declined to address those specific questions. But via email, she said that "we are constantly working to keep users safe and provide tips for them on how to protect their accounts." For related information, she also pointed Twitter users to more information from Twitter about how to keep Twitter accounts secure, as well as general tips about how Twitter users can configure their accounts in advance to help them react quickly, should someone hack into their account.

What types of attacks should Twitter users be on the lookout for? Based on past attacks, some tried-and-true exploit techniques include tricking users into using malicious Facebook apps or toolbars of questionable nature. Attackers can also employ bots that take stolen email address/password combinations--often gleaned via public dumps of breached data--and automatically try them on other sites to see if they work. Last year, for example, Sony locked 93,000 accounts that had been accessed by attackers who'd reused email and password combinations stolen from an unknown, third-party website. In other words, users should beware reusing the same password on multiple websites.

Finally, any Twitter users whose accounts have been used to launch malicious direct messages should immediately change their account password and perform some account-related housekeeping. "If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password--make sure it is something unique, hard-to-guess and hard-to-crack--and revoke permissions of any suspicious applications that have access to your account," said Cluley.

Likewise, as noted in a recent story published in Slate, anyone who's clicked on one of the attack links in question should also immediately change their Twitter password immediately--just in case.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.