Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google's Chrome OS will "create another opportunity for malware writers to prey on users."
The company also anticipates smarter and more dangerous Trojans that "follow the money," as well as a "significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies."
In a recorded interview (scroll down for audio) David Marcus, McAfee Labs' director of security research and communications, said that he expects "an explosion of Facebook and other services targeted by cybercriminals." In addition to malware like Koobface that spreads among Facebook users' friends list, Marcus expects an increase in rogue Facebook applications.
"When you click yes to 'do you want to allow this application to access your Facebook account,' you're giving that application access to all the data in your Facebook account," he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps.
"A lot of the spammers and scammers will send fake Facebook application requests to users' inboxes," he said. Marcus recommends that you only install apps from within Facebook by clicking "browse more applications" in the Facebook application installer."
Twitter vulnerabilities
According to McAfee, Twitter is vulnerable mostly because of URL-shortening services like bit.ly and tinyurl.com. There's nothing wrong with Twitter or these services, but when you click on a shortened URL you have no idea where you're going until after you get there. I would like to see a URL-shortening service that vets each URL for security and rejects those that are potentially dangerous. Twitter, according to the McAfee report is "also serving as a control vehicle for botnets."
Criminals are now being more surgical in their attacks, singling out individuals and corporations as targets. The report points to the 10-month investigation of "GhostNet," which McAfee Labs describes as a "network of at least 1,295 compromised computers in 103 countries" that "primarily belonged to government, aid groups, and activists." The malicious code was delivered by e-mail with subject headings related to the Dali Lama and Tibet, according to the report.
The report also sites "a very targeted wave of attacks against the management of major companies," as well as attacks carried out against "journalists from various media organizations, including Agence France Press, Dow Jose and Reuters based in China."
Adobe products and Google Chrome vulnerable
Adobe products, especially its Acrobat Reader and Flash, are likely to replace Microsoft Office as the No. 1 software target, according to McAfee. It's nothing they've (Adobe) done wrong," Marcus said. "The bad guys go where the masses go" and because of the increasingly widespread use of Adobe products, "that tends to be what the bad buys will start looking to exploit. It really is nothing more sophisticated than that."
Criminals are infecting PDF files and leveraging exploits in the opening of PDF documents, according to Marcus.
"Instead of viewing a PDF you're actually taken to a website that downloads some type of malware to your machine." Adobe plans to patch a critical hole in Reader and Acrobat on January 12.
There is also concern about Google's Chrome operating system, which is expected to be officially released in 2010. Chrome, which will run Web-based applications, is likely to be vulnerable to attacks in HTML 5--the newest version of the hyper-text markup language that, says the report, "holds all the promises that today's Web community seeks--primarily blurring and removing the lines between a Web application and a desktop application."
McAfee also warned of banking Trojans with "new tactics that went well beyond the rather simple keylogging-with-screenshots" that were used earlier. Trojans now use rootkit techniques to hide on a victim's system to disable antivirus software.
"Often the victim's computer becomes part of a botnet and receives malware configuration updates," the report said.
Cause for optimism
The report did end with some optimism, calling 2009 a good year for law enforcement. In November 2009, the U.S. Department of Justice indicted nine individuals "from Russia, Moldova, and Estonia who were allegedly responsible
for $9 million in customer payroll data compromises at RBS WorldPay."
The year also "saw the conviction of the infamous "Godfather of Spam," Alan Ralsky of Michigan, and his criminal syndicate, which was responsible for generating a significant portion of the world's unsolicited e-mail," McAfee said.
"You started to see that not a lot of resiliency was built into some of those botnets, they were taken down, and poof they disappeared for very long periods of time," Marcus said. He said he thinks "the bad guys will learn from that and build in some redundancy," but he remains optimistic. "The good guys and regular users are getting tired of getting exploited and we're finally starting to see more offensive and aggressive take downs of botnets...we're starting to see people wanting to take back the Internet."
Listen to Larry's interview with David Marcus.
Listen now: Download today's podcast
You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.
A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.
The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.
Here's a look at some of the specific threats users of the sites face and what they can do about it.
A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.
(Credit: Trend Micro)Problems: Malware, account hijacking, phishing, and social engineering
The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.
Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.
Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.
Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.
Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.
Problem: Rogue applications
Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.
Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?
Problem: Privacy leaks due to user error
Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.
Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.
These instructions explain how to keep most people from viewing your friends list on Facebook.
(Credit: CNET)Problem: Privacy leaks due to design or implementation issues
Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.
Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.
Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.
Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.
Problem: Privacy leaks related to marketing
The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.
Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.
Problem: Information used to suppress dissent and target political activists
As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.
"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.
Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.
Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.
Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."
Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.
Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.
Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.
Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.
Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.
What Twitter's homepage looked like before it went down on Thursday night.
(Credit: CC u07ch/Flickr)Twitter stumbled again overnight on Thursday. But this time, it wasn't the work of the "fail whale," the cuddly cartoon personification of the site's excessive technical baggage. Rather, the site was replaced with a foreboding message from "Iranian Cyber Army" before crashing entirely, indicating that it had been the victim of a malicious attack that targeted its internal servers.
Co-founder Biz Stone posted a brief clarification on the issue late on Thursday night. "Twitter's DNS records were temporarily compromised tonight but have now been fixed," he explained. "As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we've investigated more fully."
At the risk of sounding like an evening-news anchor calling attention to exactly how dangerous your treadmill is or how many diseases you can get from the ball pit at Chuck E. Cheese, I think it's time to explore the question: Is it safe to use Twitter?
For one, Twitter's track record with security has been shaky at best. A security flaw this spring exposed the data of a number of employees and allowed a hacker to pilfer some internal documents. Several high-profile accounts, like those of Britney Spears, Ashton Kutcher, and CNN anchor Rick Sanchez, have been targeted individually. Twitter has been the victim of phishing attacks. Other hackers have proved that Twitter accounts can be set up specifically to corral botnets of infected PCs. And in perhaps the biggest incident of all, a politically motivated denial-of-service attack in August that targeted multiple social-media sites managed to cripple Twitter entirely.
Think of it this way: if Facebook, a far bigger and more mainstream site that's had concerns about user privacy splashed all over the news recently, saw its homepage replaced with a nefarious political message, there would probably be a fresh round of calls for CEO Mark Zuckerberg's resignation. Twitter's heavy users are, for better or for worse, accustomed to sporadic downtime and glitches. They're also less likely to ever visit the Twitter.com homepage, considering the service has so many points of entry--text message, as well as third-party apps for mobile, Web, and desktop. Users have become accustomed to logging into third-party applications with their Twitter credentials.
That, perhaps, makes the overnight hack a bigger concern. Even though it's unlikely that user accounts were compromised in this DNS redirect, it's yet another sign that Twitter's security operations have time and again proven weak enough that the service doesn't exactly seem watertight.
A political message, or just plain obnoxious?
On the other hand, we still don't know much about this attack and it may have been less sophisticated than some may fear. One, nobody's exactly sure yet who the hackers were. "Of course, just because a message saying 'This site has been hacked by Iranian Cyber Army' has been posted on a Web page does not necessarily mean that hackers from Iran are responsible for the defacement," Sophos security consultant Graham Cluley wrote on his blog Friday.
Additionally, Cluley said, the aim seems to have been to either get a political message through or to simply be obnoxious. "Fortunately there is no indication at this point that the page was carrying malicious code, and this attack appears to have had political motivations rather than being designed to steal confidential information from users," he wrote.
"It really looks like it was people were redirected to a 'hactivism' site," weighed in fellow Sophos analyst Beth Jones via e-mail. "There was no malicious code on the site claiming to be the 'Iranian Cyber Army' either. It looks like they just hacked the registrar to redirect traffic. So it's quite probable that none of Twitter's own servers were touched."
Another reassurance is the fact that Twitter simply doesn't have the kind of sensitive data that a Facebook or Google does. While it does have millions of mobile phone numbers stored to power its text-message app, not to mention archived private "direct messages" between users, Twitter does not index a whole lot more that isn't otherwise public. Facebook, for example, has many members' credit card numbers on hand (if they've ever used its "gift shop" feature), not to mention extensive personal data in profiles like addresses, birthdays, and family connections. Members who are still concerned about the security of their Twitter accounts can take the obvious step of changing their Twitter passwords to something that they don't use on their e-mail, Facebook accounts, or elsewhere--just in case.
Beth Jones says she has confidence in Twitter. "I wouldn't say their security is second-rate by any means," Jones said via e-mail. "As it stands, they weren't actually compromised, but I can see from a user point of view the questions and concerns. At Sophos we see a new site compromised every 3.6 seconds. That's easily close to 24,000 sites a day, and of those, the vast majority are legitimate sites that get hacked."
That doesn't mean that Twitter shouldn't start making it more clear that it takes security seriously. If the company, which is now beta-testing a "Contributors" feature that may pave the way to paid corporate accounts, begins storing financial information, we can only hope that their security operations are turned up a few notches. Or, ideally, an order of magnitude.
This post was expanded at 6:23 a.m. PT with comment from Sophos' Beth Jones.
Updated at 11:15 p.m. PST to include comment from witness and reflect Twitter.com accessible again.
Updated at 11:50 p.m. PST with status update from Twitter.
Twitter.com was down Thursday evening, and it appears that the microblogging site may have been hacked or the victim of a DNS hijacking.
The site, which was inaccessible for about an hour starting around 10 p.m. PST, was defaced with the following image before it was taken offline:
The message at the bottom of the image appears to be written in Perso-Arabic script and when translated to English it read:
Twitter's status blog was also inaccessible. CNET has inquiries out to Twitter and we will let you know more when we hear back.Iranian Cyber Army
THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY
iRANiAN.CYBER.ARMY@GMAIL.COM
U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don't, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To....
NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Take Care.
Chris Hoare, a Flickr user in Leicester, England, captured the screenshot above and said his attempt to connect to Twitter bounced through a second Web-hosting server before the image was displayed but that he couldn't catch the address.
"The HTML was pretty basic, and everything that it showed was local on the server it was being sent from," Hoare told CNET News.
A Twitter update message posted at 11:28 p.m. said the site was "working to recovery from an unplanned downtime" and indicated that the incident was indeed a hijacking of Twitter's DNS records:
Twitter's DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.
Security has been a thorny issue for Twitter in the past. In January, a hacker hijacked CNN anchor Rick Sanchez's feed and proclaimed the journalist was "high on crack." Twitter users have also been the target of a password-stealing phishing scam. Disguising itself as a private message that led to a fake Twitter log-in screen, the scam was widespread enough for Twitter to put a warning message on all members' home pages alerting them of the issue.
Certainly, there is a contentious history between Twitter and Iran. In the wake of supposed results of that nation's presidential election in June, protesters in Iran used Twitter to skirt government filters to report events, express outrage, and get people out to opposition rallies. Twitter even rescheduled some planned downtime in order to stay accessible for Iranian users in the midst of political upheaval at the request of the U.S. Department of State.
Twitter and Facebook users were getting hit with scams on Monday.
Twitter users warned about direct messages that said, "I make money online with google. i learned how here [link]," according to Twitter users.
A Twitter representative said it was not a phishing scam because the site to which the spam links does not ask for a username and password, or look like a Twitter page.
"We're on it and fixing accounts as fast as possible," she wrote in an e-mail. "You can keep posted on known issues as well by checking in on the Twitter Status page."
On Facebook, meanwhile, people were seeing messages from friends that said, "just take a look at it and read it over and try it if you want [link]." The link goes to a site that appears to be hosting malware. Accounts that are generating the messages are likely compromised, and the owners should change their passwords immediately.
"We're aware of this campaign, and are blocking malicious URLs and resetting affected users' accounts," a Facebook representative said in an e-mail. "The link in the spam message is for a work-at-home scam, not a phishing site. We're still investigating, but it's likely people's accounts were compromised through a previous phishing scheme."
Twitter users warned about a "make money online with google" scam on Monday.
(Credit: Twitter Search)Updated at 3:39 p.m. PST with Facebook comment and at 2:15 p.m. PST with comment from Twitter.
Kaspersky unveiled a new tool on Thursday called "Krab Krawler" that analyzes the millions of tweets posted on Twitter every day and blocks any malware associated with them.
The tool looks at every public post as it appears on Twitter, extracts any URLs in them and analyzes the Web page they lead to, expanding any URLS that have been shortened, Costin Raiu, a senior malware analyst at Kaspersky, said in an interview.
The company is scanning nearly 500,000 new unique URLs that appear in Twitter posts daily, he said. Of those, anywhere between 100 and 1,000 are malware attacks. Twitter has also been targeted by the Koobface virus which posts malicious links from infected users' accounts.
About 26 percent of the total posts contain URLs, and many of those lead to spam sites that are marketing products or services and aren't considered malware, according to Raiu. Tens of thousands of different accounts are posting spam links, most likely from accounts created by bots, he said. The most frequent URLs posted lead to online dating sites, he added.
Twitter has its own filtering system, but some malicious links still manage to get through, Raiu said.
While Kaspersky's regular antivirus software may detect and block 95 percent of the malware Twitter users are threatened with, malware code changes frequently to evade filters and it could take between two and 12 hours for new stuff to be classified as malicious and detected, he said.
While antivirus companies have traditionally focused on protecting e-mail-borne viruses, they are increasingly turning their attention to social-media sites as attackers do.
Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links, said Morton Swimmer, a senior threat researcher at Trend Micro.
Meanwhile, Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Gmail, Blogger, MSN, MySpace, Google search, Yahoo, and other sites.
Social-media sites are popular for attackers not only because people are flocking to them, but also because users seem to trust messages that appear to come from friends on those sites more than they trust e-mails, Raiu said.
"People are worried about unsolicited e-mail, so they are careful not to run the programs they get by e-mail, but they aren't prepared to deal with these kinds of new attacks," he said.
The most common piece of malware associated with Twitter links is Trojan-Clicker.HTMLIFrame, a malicious JavaScript that can get downloaded to a computer when it visits a compromised Web site.
(Credit: Kaspersky)
This is Twitter's spam warning.
(Credit: Twitter)Twitter warned on Wednesday about a new phishing attack in which direct messages to users link to a fake log-in page that steals passwords.
"We've seen a few phishing attempts today; if you've received a strange (direct message), and it takes you to a Twitter log-in page, don't do it!" the Twitter spam warning says.
The direct messages say: "hi. this you on here? http://blogger.djh****.com," Sophos reports in a blog post. The full URL is obscured to prevent people from unwittingly visiting the phishing site.
Clicking on the link takes a user to a page that looks like a legitimate Twitter log-in page. When the user types in the username and password, a fake version of Twitter's "over capacity" message is displayed, with the image of the notorious "fail whale" held aloft by birds.
"When I visited the page, I was then slingshot to another Web page on Blogspot.com, claiming to belong to a blogger called NetMeg99," Sophos researcher Graham Cluley wrote. "It's not clear if NetMeg99 is involved in the phishing scam, but there is a suggestion that her Web page did also try to phish for credentials at one point."
If you have been duped by this phishing ruse, Sophos suggests that you immediately change your password at Twitter and any other sites where you used the same log-in credentials.
A new phishing scam is spreading through Twitter via direct messages, according to several reports.
Itamar Kestenbaum writes on his JewNews.net blog that he received a direct message on his Twitter account from someone he didn't know that said "rofl this you on here?" followed by a link to what appeared to be a video-related Twitter page.
The page looks like a legitimate Twitter log-in page but nabs your credentials if you type in your password, he warns.
Meanwhile, a posting on the Mashable blog said the site had received multiple reports of the new phishing scam and that someone there had even received one of the phishing-related direct messages themselves.
No word on this yet on Twitter's official blog or from a Twitter spokesperson. We'll keep you posted as we hear more.
In the meantime, if you clicked on the phishing link and typed in your credentials, you should change your password immediately.
Update at 5:30 p.m. PDT: Twitter acknowledged the phishing scam in a tweet on Wednesday that said "A bit o'phishing going on--if you get a weird direct message, don't click on it and certainly don't give your login creds!"
JewNews.net captured this screenshot of the phishing-related direct message Twitter users are receiving and the fake log in page the link directs to.
(Credit: JewNews.net)
A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.
Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.
Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.
But in this case, the Twittering botnet doesn't necessarily highlight a vulnerability that would be unique to Twitter.
"Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication," Coogan wrote.
This post was updated at 1:05 p.m. PDT to note that Arbor Networks also reported the Twitter-based botnet.
The Georgian blogger whose Twitter, Facebook, and YouTube accounts were targeted in denial-of-service attacks on Thursday, says he thinks Russia's federal security service is behind it.
"This hackers was from Russian KGB," the blogger, who uses "Cyxymu" on his accounts, wrote in a tweet early on Friday, adding later: "My twitter is online! Thank you all for support after ciber attack from Russia!"
Because of the difficulty in tracing distributed denial-of-service (DDoS) attacks back to the source, unless someone takes credit for the attack or brags about it to online associates, it's nearly impossible to determine exactly who was responsible.
Cyxymu is identified as a 34-year-old economics lecturer named Georgy from Tblisi, Georgia, by The Guardian. His blog postings are critical of Russia's dealings with the Caucasus region and his screen name is a Latinized version of the spelling of Sukhumi, the capital of Abkhazia, a breakaway Georgian republic.
"Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," he is quoted as saying. His LiveJournal account was attacked last year, as well, according to the report.
The DDoS attacks came on the eve of the one-year anniversary of a significant military clash between Russia and Georgia, which have had an ongoing conflict. In the 2008 South Ossetia war that began on August 7, 2008, Georgia attempted to retake control of South Ossetia and Russia launched air strikes against Georgia.
"When the war started in South Ossetia last year I couldn't avoid being drawn into politics," the blogger said.
The Georgian government is investigating potential links between its citizen and the attacks, and there are suspicions that the attack came from Russia, Shota Utiashvili, head of the Department of Information and Analysis at the Ministry of the Interior, told CNN.
Twitter was down for hours on Thursday during the attack, and LiveJournal suffered an outage. Facebook, and Google--whose Blogger, Google Sites, and YouTube were also affected--were able to fend it off.
Whoever was behind the attack may also be responsible for a spam e-mail campaign launched before the DDoS attack and targeting the blogger's accounts. In that attack e-mails were sent out that looked like they came from the blogger and included hyperlinks to his accounts on the targeted sites. A Facebook spokesman and others said that a spam attack would not have been effective enough to cause a DoS outage.
On his Blogger account the Georgian posted a copy of a Russian language news article in which he himself says the spam attack did not cause the DDoS attacks.
The Cyxymu accounts were back up on Friday on Twitter and Facebook (where he's a fan of John McCain), but his LiveJournal account appeared to still be inaccessible though a cached version was available on Google. His YouTube account, meanwhile, never went down.
