« Trusting Third-parties with your password | Main | Tackling malicious conduct through compliance »

Monday, 09 November 2009

Twitter scams: More of the same from attackers

 

Chester Wisniewski has an interesting article about direct messageTwitter attacks at the Sophos blog. He explains how a follower he trusts sent him a tweet inviting Chester to join him in making $500/day online. Knowing the sender, Wisniewski knew immediately this was a phishing tweet, and his article explains what he found as he continued his investigation.

What is surprising about Wisniewski's article is not that attackers are tweeting for phish, but how similar Twitter phish specifically and social network spam in general are to email phish. Phishing today varies little from the scam formula adopted more than a decade ago. For example,

  • Wisniewski's tweet phish originated from a newly registered domain. Thousands of malicous domains are registered every month. This figure has remained relatively constant over the past two years. 
  • Wisniewski's tweet phish came from a trusted follower, or more precisely, from the compromised account of a trusted follower. Wisniewski explains that this phishing attack was very likely preceded by a phish attack against Twitter or against a social network that allows you to share posts from Twitter. Wisniewski recommends, and I concur, that "using sites that request your username and password for social media is never a good idea."
  • The domain was registered using a private domain registration. Such registrations gives criminals who have populated Whois with false registration information in the past an additional level of obfuscation, so this behavior is not a change but a refinement.
  • Wisniewski's tweet referred him to a domain. Whether email or tweet, a recipient who bites on the lure and visits the phish site lands on a "known dirty domain", a domain registration that persists for any of several reasons: the domain is fast fluxed, resolved at an orphaned name server, or "sticky" because the takedown process employed by some registrars remains cumbersome, inefficient and overly vulnerable to abuse.
  • The scam web site accepts credit card information and uses a certified secure SSL certificate, which Internet users commonly and incorrectly assume protects their transaction from identity theft. To be clear, "certified secured" in this phishing scam means that no other criminals can see your credit card information while it's communicated from your PC to the phisher's scam web site.

What is less surprising is that the best practices to avoid phishing and malware on Twitter and social networks are almost exactly the same as best practices written for email years ago. Summarizing from a recent article by Sarah Perez, they are:

  1. Be wary of any URL (hyperlink) in a tweet or email. Phishers use HTML to embed malicious links in seemingly familiar, "safe" links. Don't click on a hyperlink; instead, type the link in manually.
  2. Be aware that criminals will "hijack" popular topics to prey on your enthusiasm. The strategy is simple: find someone who is so caught up in a topic he forgets rule #1 above.
  3. Be aware that criminals compromise email, Twitter, and social network accounts so they can deceive you more effectively. Wisniewski's tweet is an excellent example of this tactic. Don't let your guard down simply because the sender is someone you trust: remember, senders can be spoofed.
  4. Install antivirus and antimalware software, and keep these and other software up to date. The more current you remain with security patches for your operating system, browser, and Adobe applications (reader and flash), the safer you'll be from malware that's often lying in wait for you at phishing sites. To keep current, download and use Secunia Personal Software Inspector.

Sarah Perez concludes her article by saying that it's not just a matter of common sense anymore. This doesn't mean common sense plays no role; in fact, all the protective measures you may take will prove worthless if you don't use some common sense, so please think before you click. 

Posted at 10:05 AM in Anti-Malware and Anti-phishing, Stop Think Connect |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories