February 5, 2013

Battered Twitter, Phish but no Chips! [Updated]

Carl Leonard Principal Security Analyst

Hot on the heels of Friday’s announcement by Twitter that they ‘detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data’ and subsequent confirmation that ‘attackers may have had access to limited user information’ for  ‘approximately 250,000 users’,  Websense® Security Labs™ are tracking a phishing campaign propagated via Twitter’s direct message functionality.

Whilst no correlation between the two events can be drawn at this time, Twitter users should be on guard for signs of their own account being abused or compromised, as well for abnormal signs or unusual behavior (or perhaps in many cases, more unusual than normal) from those that they follow. Specifically, users should be cautious, as always, when following any links received from direct messages or Tweets particularly if the page you've been directed to is asking for your credentials or personal information.

Given the recent compromise, Websense Security Labs suggest that you regularly check your online accounts for signs of compromise and, as if anyone needs an excuse to do so, regularly update your suitably complex (and most definitely not your pet/team/town or dictionary word) password as well as reviewing the permissions granted to third-party applications that have access to your accounts (Twitter: How to Connect and Revoke Third-Party Applications). Should you have been unlucky enough to fall victim to this recent compromise, you'll have hopefully received a notification from Twitter that suggests these actions along with some general tips for account security:


Thankfully there are also suggestions, given this recent article on The Guardian’s Web site, that Twitter may be looking to implement two-factor authentication in the future as they are currently advertising a Product Security Software Engineer role in which the successful candidate would have the opportunity to work  with “user-facing security features, such as multifactor authentication”. The implementation of two-factor authentication would be a welcome addition to Twitter’s service which, based on figures released in 2012, has an estimated 500 million users, of which 200 million are estimated to be ‘active’.

The recent compromise is reported to impact 250,000 users, a mere 0.0005% of total users or 0.00125% of active users, and therefore may seem a somewhat small drop in the Twitter ocean. It is not unsurprising, therefore, that attackers are continuing to target Twitter users by dumping a barrel load of phish into this metaphorical ocean.

This recent phishing campaign, given the samples analyzed by Websense Security Labs so far in this incident, is using lures likely to elicit a click when received from a friend or associate, such as Did you see this pic of you? lol followed by a shortened URL.

Interestingly for us, and hopefully you, the use of Bitly’s URL shortening service allows us to append the URL with a plus ‘+’ and then view statistics for the shortened URL:


Whilst the click rate for the above example is low, we’ve seen numerous unique Bitly shortened URLs related to just one account, and would expect the perpetrators behind this campaign to rapidly cycle these in order to avoid detection and to increase the chances of catching more victims.

From all of the Bitly URLs analyzed, the statistics indicate that the victims are not confined to any one geographical area and that users are following the links. With regard to the small percentage of non-Twitter referrers, these could be Tweets or Direct Messages accessed via other applications or  indicative that the campaign is not limited to Twitter itself.

Once followed, the shortened URLs lead to what appears to be an intermediate and changing subdomain on hecro(.)ruwhich in turn redirects to active phishing sites hosted on a variety of typosquat-style domains:


The phishing URL in the above example, Tivtter(.)com (ACEInsight Report) appears at a glance to be legitimate and therefore is likely to dupe some unsuspecting victims into believing that they need to 're-login' to their expired Twitter session. The URL in this example also appears to cycle through an alphabetic sequence of folders containing the phishing page, perhaps in order to gather some statistics or to split the campaign in some way, as we've seen active examples from/a/verify/ upwards (/n/verify/ at the time of writing). Once the letter has cycled onto the next, any attempt to access the phishing page will be met with a standard  '404 - Page not found' error.

Should you fill in your account credentials, they'll be snaffled by those behind this nefarious scheme and you'll be presented with a fake '404' page not found error before being whisked back to the official Twitter Web site as if nothing happened:


As well as the URL above, we're also seeing other variations on the same Twitter typo theme including iftwtter(.)com(ACEInsight Report) and iwltter(.)com (ACEInsight Report).

Reassuringly, Bitly are flagging many of the shortened URLs as ‘potentially problematic’ although it is likely that for every one flagged another is sure to emerge.

Whilst Websense customers are protected from phishing and other threats by ACE, our Advanced Classification Engine, please do ensure that you check your personal accounts as well as sharing some basic security tips with your friends and family!

Friday, July 19, 2013:

Websense Labs has been tracking a mutation of this campaign, once again spread via Direct Messaging (DM). The offending domain is a typo-squat - hxxp://twitller(.)com ( Ace Insight Report ), This URL, if browsed to directly, will redirect the visitor to the legitimate https://twitter.com page. However, the URL being DM'd is: hxxp://twitller(.)com/at1/index.php ( Ace Insight Report ) - this page uses xmlHTTP to communicate with a third party web application, in order to generate a random URL, similar to hxxp://twitller(.)com/9wk45b/verify/?&account_secure_login - this is where the Phish will happen, exactly as described above.

Websense customers are proactively protected from this campaign.

Thanks to @JanneFl for the initial identification of this campaign.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.