Trolling for easy victims using Twitter

[Last updated on 3/7 at 8:00a CST - see bottom of post]

It's no secret that people have to be mindful of their social networking activities. The information security community has been sounding the alarm for several years, and now the message is finally reaching the mainstream media.

However, what the average user doesn't realize is that their actions speak louder than their status updates. Let me explain. Let's assume we have two social network users, Jane and John. While both are mindful of the information they post about themselves, Jane is more cautious than Joe, the latter being more "click-happy."

Reports of attacks on social networking sites is an almost monthly occurrence. Sometimes the attacks take advantage of vulnerabilities in the design or implementation of the various sites or third party add-ons. Yet, most often, the attacks simply use the flexibility and openness of the social networks and their unsuspecting users as a vector of attack. The latest example, reported today by Sophos' Graham Cluley, consists of Twitter messages touting interesting webcam conversations on a site called "chatwebcamfree.com"

While cautious Jane ignored the tweet, John's curiosity got the best of him: he clicked on the link. The result is that John's Twitter account now sends a tweet touting the same site, which reaches all of John's followers. As of 19:20 (CST), it is still unknown how the attack works, i.e. how it manages to send a tweet using John's account. However, there are several known attacks which could be used to obtain that behavior. The web site displays a web form asking for account credentials; it may be infecting the user's machine and may also be gathering passwords.

Now, any Twitter user who fell for this attack has in effect painted a large target on his back. Locating these users now becomes as simple as searching for the right term. A quick search reveals well over 500 posts containing the name of the target web site. While the oldest post is dated from 26 days ago, 99% of the activity seemed to have occurred today. Each of these users may now become the target of additional attacks.

Remediation strategies should of course help users exercise caution in their surfing habits. However, it may also fall on Twitter to remove these tweets in order to control the infection and help protect those that were lured from additional attacks.

[update1]
As of 8:14p CST, Twitter has confirmed that 750 accounts fell prey to the adult webcam spam attack. However, while Twitter claims to have removed the "spammy" status updates, the searches conducted at 6:30p and at 8:30p show otherwise as the screenshot below indicates.

[update2]
As of 8:00a CST on 3/7/2009, a twitter search still reveals 48 pages (up from yesterday's 47 pages) of matches to the search term, clearly exposing people's susceptibility to click dangerous links.

No comments: