We love social networking sites, and phishers are no exception. They’ve been sending out fake Twitter notifications for a while now. The one we’ve just received doesn’t have much in common with previous phishing attacks.
The message looks like this:

Lots of suspicious things about this message: the word “twitter” comes at the end of the link, rather than the beginning, and the English is a bit dodgy as well. None of the addresses in the “From” fields have any strong associations with Twitter:

1. From: "Donald" VanceShade@qoodly.com
2. From: "Michael" KirbySchulte@filepages.net
3. From: "Jeff" JeremiahSilver@savingssavingsandmoresavings.net

Not surprisingly, the death of Michael Jackson whipped up a frenzy of activity, with every new “fact” and comment from fans and the media adding to the storm of rumour. And of course the bad guys quickly got in on the act – one example is the hackers who hacked Britney Spear’s Twitter account to tweet about her untimely death.

The spammers have also jumped on the Michael Jackson bandwagon – the screenshot below is a piece of Italian spam we picked up today.

[Translation: “The whole world was in shock when it found out about Michael Jackson’s death. His death is surrounded by secrets. This video shows the last moments of Michael Jackson’s life and the harsh truth about his death.
Children under 16 are not permitted to watch this video!”]

As pointed out by Stefan short URLs create big problems. How big those problems can get has been made very clear in an attack suffered by cli.gs. They claim to be the 4th most used shortening service on Twitter.

In a blog posting on their site the company says that they had been breached. This resulted in over two million shortened URLs pointing to the same page. The page is a blog posting from another site talking about hashtags on Twitter.

No malicious code has been found on that particular page. Put that together with the topic of the particular page leads and it appears that the attacker didn't have too much harm in mind. S/he wanted to show that the site was vulnerable to attack, but didn't want to install any malware onto the visitor's machine. A welcome change. ;-)

Having control to so many URLs makes these services a very attractive target. The fact that you can easily change the address to which a shortened URL leads with this particular service made it extra attractive.

Personally, I've abandoned URL shortening services on any of the social networks I'm on some time ago. If you strip out the "http://" portion such sites will no longer convert them into shortened URLs automatically. It's certainly a bit less convenient, but at least the reader knows where I'm pointing to.

Over the course of last weekend I was busy setting up some new systems.
During that process I came across an old virtual machine that I decided to fire up.

Upon launching Firefox on that machine I was greeted by the following:

Now what's wrong with this picture? Quite a lot if you take a good look.

Short URL services are becoming increasingly popular among social networks, especially on Twitter. When you have to limit your message to just 140 characters, every character becomes important, and posting links to searches on Google or news websites can rapidly fill an entire Twitter message.

Of course, for every problem there is a solution, so what URL shortening services like TinyURL, Is.gd or Bit.ly are doing is to offer for free short URLs that redirect to the longer ones. Everything might seem great until the moment you start thinking about security, and several problems come to my mind.

Social engineering is made easier. The user doesn’t really see the URL of the page he’s going to, but just the shortened version, which usually doesn’t offer any clue of where the destination page is hosted. An attacker can say he’s linking to “nice pictures with bunnies”, but instead sending the user to a website hosting malicious content.

The reliability is questionable. In order to get to the final destination, it’s not only necessary for the destination’s server to be reachable, but also for the short URL service to be up and running. Reliability problems with TinyURL were what made Twitter to switch to Bit.ly recently.

Trust can be a problem. The user wants to only click on safe link, so now he does not only have to trust the person who sends him a link, but also an intermediate player: the URL shortening service.

Security concerns are being raised by these URL shortening services, and I am very glad to see the media also starting to notice them and raise the security awareness level throughout their readers: AP recently posted an article about short URL services that also touches on the security problems.

On Saturday an alert went out about a new Twitter worm.

Could this have been another XSS-Worm? Upon clicking the link users would see the following:

However that's not all that happens. Covertly a connection is made to another server that will result in a malicious PDF being downloaded. This PDF contains a flurry of exploits.

If exploitation is successful a file will be downloaded. Given the reports one would expect this to be the worm. However, it turned out to be yet another Fraudware installer. This time a fake program called "System Security" is being promoted.

During the research process I was not able to detect any worm-like component. There's another very plausible explanation for the worm-like activity we've seen.
About a week ago there was a pretty high-profile phishing attack targeted at Twitter. It was only going to be a matter of time before we would see the abuse of the stolen accounts one way or the other.

Most likely the cyber criminals behind this attack simply used the stolen credentials of those phished accounts to tweet the messages. From my perspective this would also have been the more likely scenario rather than using a worm.

This attack is very significant. It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we've seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks.