Application security, Incident Response, Malware, Network Security, Phishing, TDR

Twitter hit with rogue anti-virus scams

It does not take long for the popularity of a new technology to attract offers for rogue anti-virus software. Users of popular blogging platform Twitter fell victim this past week to a scareware scam in which they were offered a "Best Video," but by clicking through, invited onto their computer offers for a rogue security application.

The infestation began after a blast of tweets, brief text messages containing a hyperlink, enticed users to juste.ru, reportedly a Russian domain, to watch a "Best Video." The site seemingly presented content from YouTube, but in the background delivered a malformed PDF via an IFRAME on that site. This image file contained a number of exploits intended to infect users using unpatched versions of Adobe Reader. Victims were then presented with an urgent caution that their systems were infected and needed to be cleaned up using security software.

So-called scareware, usually in the form of pop-up ads, have been cropping up for years attempting to scare computer users into purchasing unneeded licenses for software to rid their systems of viruses. A March report from the Anti-Phishing Working Group found that rogue anti‐malware programs increased 225 percent in the second half of 2008 – from 2,850 in July to 9,287 in December.

Once one of these ads gets on the desktop, it's difficult to shut it down, and any buttons pressed within an ad image could launch a download. While scareware is already ubiquitous on the desktop, and has even made its way to mobile platforms, this new round of attacks is believed to be the first iteration on Twitter. The rogue app advertised in this Twitter attack is called "System Security."

Exacerbating the attack, the immediacy and high volume of posts on Twitter lends itself to a culture in which users are quick to act and, unaware of the danger, susceptible to clicking through to free offers for videos, audio or an enticing message, despite not knowing who it might be from.

Advocates of Web 2.0 technologies say this development is only to be expected.

"Our experience has shown that with new technologies arise new security challenges," said David Lavenda, VP marketing and product strategy at WorkLight, a New York-based vendor of Web 2.0 technologies, in an email to SCMagazine.com on Tuesday.

Most likely, hackers are constantly looking for the weakest security link, David Goldschlag, CTO at Trust Digital, a McLean, Va.-based enterprise mobility management provider, told SCMagazineUS.com on Tuesday.

"These Twitter attacks are another illustration of the diverse set of technologies used by consumers that are vulnerable to attacks and other hacker mischief," said Goldschlag. "SMS and Twitter seem to have something in common in that the users are typically quick to respond to short messages without a lot of thought."

On the enterprise level, this creates a whole new set of challenges for security personnel as consumers bring these technologies to work, Goldschlag added.

Spammers woke up and saw that Twitter is an even better way of getting people to click on links than email because tweets contain only a brief message and a link, Mary Landesman, senior security researcher at San Francisco-based ScanSafe, a provider of SaaS security services, told SCMagazineUS.com on Tuesday.

"We're always cautioning people not to click on links," she said, "and Twitter adds to the problem." She explained that Twitter makes it so easy to click on a link that users fail to use common sense. That combined with the phenomenon of what she termed promiscuous friending makes users susceptible. This involves Twitter users building up their "follower" base by linking up with anybody in the hopes that they'll be followed back.

WorkLight's Lavenda, who is also founder of the Secure Enterprise 2.0 Forum, said via email it is important not to block new technologies, but instead figure out how to enable people to use the tools in a secure fashion. Identifying possible threats and being able to mitigate them is the first step, he said. Just as important is the need to educate people within the organization how to best use the tools while safeguarding enterprise data. Finally, he recommended that companies adopt enterprise-grade solutions that keep this information safe and secure.

"Twitter is an excellent tool to connect with people in an immediate and direct way, in effect creating an ecosystem surrounding each user," Lavenda said. "Faced with possible security risks, users must simply be smart in how they respond and act on information sent their way. Much like the early days of email, when malicious viruses and spam became a reality, users were not yet aware of what best practices are necessary to protect their assets. I think we will see similar transition in Twitter, social networks and other social media, as new best practices are implemented and security features are introduced."

Trust Digital's Goldschlag agreed. "Users should only follow people or organizations that they know," he said. "They should safeguard their credentials so that their Twitter accounts can't be hijacked (which defeats the first safeguard). Always be sure that you are logging into the Twitter website and expand the tinyurl that many twitters contain to make a determination if the destination website is legitimate. It would be great if the Twitter website could give users a heads-up on this type of activity and provide some best practices."

For the CSO, Twitter is another consumer technology to worry about, said Goldschlag. He wondered if Twitter should be allowed in the enterprise environment. And, if so, who should users be allowed to tweet with -- and should tweets be accepted if they have an embedded executable?

It's a trust issue, ScanSafe's Landesman said. "The best way to protect yourself from spammers is to know who you follow. It's a combination of understanding who you're following and having some sort of trust relationship. Following strangers is not a safe thing to do."

Landesman advised Twitter users within the enterprise to make sure to use a web security service. This can help protect the network if something malicious is detected. For home users, she advised making sure to disable JavaScript by default so it can only run with user permission.

Twitter has been ranked as the third most used social network behind Facebook and MySpace. The number of unique monthly visitors to the site has been estimated at six million and the number of monthly visits at 55 million.

Twitter staff have confirmed the "System Security" attacks and reportedly cleaned up the offending messages.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.