Twitter Direct Messages Disguise Trojan App Attack
Compromised Twitter accounts send fake Facebook videos and Flash updates that trigger drive-by malware exploits.
Beware Twitter direct messages containing links.
That warning comes as Twitter users in recent days have reported seeing a flurry of direct messages--including warnings such as "you even see him taping u" and "your in this [Facebook.com page link] LoL"--that include a link, ostensibly to a video. The links, however, don't lead to a Facebook video featuring the recipient, but rather to a website that attempts to launch a drive-by exploit via the user's browser.
More Security Insights
- How Attackers Identify and Exploit Software and Network Vulnerabilities
- Getting a Grip on Mobile Malware
- The 451 Group Impact Report: Skybox Enters Vulnerability Management Space
- Skybox Security Vulnerability Management Survey
In some versions of the attack, for example, "users who click on the link are greeted with what appears to be a video player and a warning message that 'An update to Youtube player is needed,'" said Graham Cluley, senior technology consultant at Sophos, in a blog post. "The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer." The update in question, however, is really a Windows-compatible Trojan application known as Mdrop-EML. If the Trojan application successfully infects the PC, it will attempt to download additional attack modules onto the PC, as well as to copy itself to any local drives and network shares to which the PC has access.
In other words, when it comes to links supposedly shared by friends on social networks, stay wary. "The attack underlines the importance of not automatically clicking on a link just because it appeared to be sent to you by a trusted friend," said Cluley.
[ Are you at risk? Learn How Cybercriminals Choose Their Targets. ]
Of course, the bogus video attack is hardly the first malicious campaign to be launched via direct messages. Earlier this year, for example, an attack campaign used direct Twitter messages to ask, "Did you see this tweet about you?"--and included a link to a malicious website.
Meanwhile, attackers have been practicing similar techniques on Facebook for years, including one apparently non-stop spam campaign that's aimed at selling shoes. Adding insult to potential injury, after compromising an account, the spammers post a provocative picture--involving shoes--and "tag" friends of the accountholder as being the subject of the photo, all of which no doubt increases the page views for their advertising.
Still, has the volume of attacks launched via Twitter direct messages lately been increasing? In addition, just how are attackers compromising users' accounts? Twitter spokeswoman Rachel Bremer declined to address those specific questions. But via email, she said that "we are constantly working to keep users safe and provide tips for them on how to protect their accounts." For related information, she also pointed Twitter users to more information from Twitter about how to keep Twitter accounts secure, as well as general tips about how Twitter users can configure their accounts in advance to help them react quickly, should someone hack into their account.
What types of attacks should Twitter users be on the lookout for? Based on past attacks, some tried-and-true exploit techniques include tricking users into using malicious Facebook apps or toolbars of questionable nature. Attackers can also employ bots that take stolen email address/password combinations--often gleaned via public dumps of breached data--and automatically try them on other sites to see if they work. Last year, for example, Sony locked 93,000 accounts that had been accessed by attackers who'd reused email and password combinations stolen from an unknown, third-party website. In other words, users should beware reusing the same password on multiple websites.
Finally, any Twitter users whose accounts have been used to launch malicious direct messages should immediately change their account password and perform some account-related housekeeping. "If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password--make sure it is something unique, hard-to-guess and hard-to-crack--and revoke permissions of any suspicious applications that have access to your account," said Cluley.
Likewise, as noted in a recent story published in Slate, anyone who's clicked on one of the attack links in question should also immediately change their Twitter password immediately--just in case.
Download our Finding The Right Security Outsourcing Balance to find out which security services lend themselves best to the outsourcing model. (Free registration required.)