06 Nov A Quick Look at the Twitter Phish Rotating through Domains Kurt Baumgartner
16 Oct Twitter Phishing Campaign Spreading Via Direct Messages David Jacoby
25 Dec “Profile me” bot on Twitter Dmitry Bestuzhev
05 Oct Kaspersky Lab at Virus Bulletin 2011 Ryan Naraine
19 May Facebook stalker application now localized David Jacoby
18 May Facebook profile: No, it doesn’t work! Nicolas Brulez
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
A Twitter phishing scheme is spreading its wings, as the previous couple of phishing domains used by this scheme late last week have been taken down. So its operators have decided to put up multiple effective domains. Here are a couple of things to look for.
When you are using a browser like Google Chrome and you are visit twitter.com, the browser displays a green url indicator that the domain has been verified by an extended SSL CA. Now, with the CA breaches that we've seen in the past year (the Diginotar breach report was finalized this past week), that may not mean everything. But, in this case, here is how you might verify that you are using the legitimate twitter site:
This Direct Message attracts phish with a dramatic notice: "Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on here". There are a handful of messages in use, as the GFI guys mentioned here last week.If you were to click on that bit.ly shortened link, your browser will be redirected through a click tracking service:
Do not enter your username and password at this site. Also, there are at least a half dozen other domains that look fairly close to "twitter.com", like this one. These guys are using all of them with the same page and graphics to tempt you into entering your credentials. This theft can be a risk if you re-use your passwords across accounts. Also, there is often other personal information within these twitter accounts, like the user's email address used to create the Twitter account. So please keep an eye out for this sort of play on word recognition-domains.
I got the impression that lately the amount of phishing attacks via social media was not as great as we have seen in the past. But just as I logged in to Twitter today I noticed that I had received two direct messages, and they both had a very similar message.
Two days ago I received the first message, and when I tried to verify if it was a link spreading malware, or a phishing site, the URL was already inactive. Now when I received another one I wanted to look at it quickly, and at the time of writing the phishing site is still active.
The bot started working on Friday, Dec 23 at 9 pm (GMT -05:00) with the highest peak on Saturday, 3 am the same GMT zone with 0.19% of all Twitter traffic.
BARCELONA -- The annual Virus Bulletin conference kicks off here tomorrow with anti-malware researchers discussing a wide range of important issues facing the industry.
Researchers from Kaspersky Lab will have a major presence at the conference this year -- nine speaker slots! -- with talks on the cyber-crime underground, mobile (Android) malware, web application security and social network threats.
I'd like to call attention to a few of the important Kaspersky Lab presentations:
It seems I’m not doing anything other than write about malware on Facebook, but here goes again. As you have probably read or seen yourself on Facebook, there are quite a few applications pretending to show you a list of people who have viewed your profile. I think the most common one is the “Stalker Application”.
Today I saw something that I haven’t seen before – the applications have changed tactics and have now been localized, meaning the page and message which is distributed is in different languages. In my case the language is Swedish, since I’m from Sweden, and I presume that the worms are also localized in other languages.
We are currently investigating a new malicious campaign on Facebook mostly targeting French-speaking users. When visiting infected users’ profiles, you see the following:
Translation: Wow, it really works! Find out who is viewing your profile!
The various links that are used rotate quite fast and lead unwitting victims to a website that explains what they need to do. Here’s what it looks like:
Basically, there are 2 steps.
Continuing our investigation on the Osama's death campaign, we were especially concerned about the potential distribution of malware on social networks, because of their speed of propagation. So we have been monitoring Twitter, getting some million tweets and a huge number of URLs too. No surprise here as during the last 24 hours the average was 4.000 tweets per second related to this topic. Here you can see how even Internet traffic was affected.
Analyzing these URLs, we found some interesting stuff.
The first one is a Facebook scam campaign posing as Osama's death video: