Both the Arab Spring and the aftermath of the Boston Marathon bombings particularly proved that, as users took to tweeting eyewitness information that large news organizations couldn't uncover on the ground. However, new evidence has surfaced showing that Twitter isn't just being used to spread information; it’s also being used for spreading malware.
Trusteer researcher Tanya Shafir has uncovered financial malware that launches a Man-in-the-Browser (MitB) attack through the web browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets that propagate malware. Once installed on a machine, it gains access to user credentials and targets their financial transactions.
“At this time the attack is targeting the Dutch market,” she noted. “ However, because Twitter is used by millions of users around the world, this type of attack can be used to target any market and any industry.”
The attack is carried out by injecting Javascript code into the victim’s Twitter account page. The malware collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim.
The bad tweets are an assortment of tried-and-true social engineering ploys, all including shortened malicious links. Shafir listed some examples:
Original text (in Dutch): "Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris" (English translation: "Our new King William will earn even more than Beatrix. Check his salary").
Original text (in Dutch): "Beyonce valt tijdens het concert van de superbowl, zeer funny!!!!" (English translation: "Beyonce falls during the Super Bowl concert, very funny!!!!").
Original text (in Dutch): "topman [Dutch Bank] gaat ervandoor met onze miljoenen!! De minister heeft weer het nakijken... zie" (English translation: "CEO of [Dutch Bank] is off with our millions!! The minister is inspecting again... see").
This attack is particularly difficult to defend against because it uses a new sophisticated approach to spear-phishing,” Shafir noted. “Twitter users follow accounts that they trust. Because the malware creates malicious tweets and sends them through a compromised account of a trusted person or organization being followed, the tweets seem to be genuine. The fact that the tweets include shortened URLs is not concerning: Twitter limits the number of characters in a message, so followers expect to get interesting news bits in the form of a short text message followed by a shortened URL. However, a shortened URL can be used to disguises the underlying URL address, so that followers have no way of knowing if the link is suspicious.”
Shafir speculated that the URLs lead to malicious webpages, so, when the browser renders the webpage’s content, an exploit can silently download the malware to the user’s endpoint device in a drive-by download.
As always, external sources like web content and email attachments, which can include a hidden exploit in the form of embedded code, should never be trusted. “Such content should only be opened while monitoring the application state to ensure it is operating legitimately,” she said. “Stateful Application Control should be used for analyzing what the application is doing (operation) and why it is doing it (state), to determine if an application action is legitimate or malicious.”