SAN FRANCISCO--Twitter presents a relatively new frontier for spammers, malware creators, and all around bad guys, which in turn has created the opportunity for security researchers and vendors alike to try to figure out, and put a stop to, their efforts.
One company that's trying to get a handle on the size of the problem, and on ways to fight it, is Barracuda Networks. During a talk at the RSA security conference here, which wraps up tomorrow, Barracuda outlined some of the research it's been doing in this area over the past two years.
Paul Judge, chief research officer and VP of cloud services for Barracuda, noted that what makes Twitter a particularly attractive target is that it's both a social network and a search engine. This lets scammers place their wares on a public feed to reach a list of followers, as well as seek new eyeballs by making use of trending keywords to have their wares appear in Twitter search results (more on that here).
But who, you're wondering, would follow a scammer on Twitter? It's more common than you'd think, said Barracuda research scientist Daniel Peck. One example the company tracked was Download-Heaven, a site that was using a Twitter account to push links to hosted shareware filled with malware and Trojans.
Download-Heaven had 445 followers while following only one account itself. Peck said the scammers were following other Twitter users as a way of getting them to return the favor and follow Download-Heaven. Then the scammers would simply unfollow those users while leaving them to continue receiving its updates, including links to malware.
Barracuda looked for that sort of imbalance as it tracked a raw stream of data from Twitter. It also looked for accounts that had been unfollowed by a lot of users over time; such accounts have often been recognized by other Twitter users as bad news. Finally, Barracuda tried to figure out the behaviors of typical users to see if it could put together additional filters that would spot users who were up to no good.
The result was a reputation system that looked at the Twitter public stream (through its API), as well as an extra 20,000 queries per hour outside of the normal public stream. The test ran for two years and evaluated tweet-to-follower ratios as well as the content of what users were sharing. What Barracuda found was that just 43 percent of Twitter users could be classified as "true." These were users that had more than 10 followers, friends, and tweets. That was compared with the other 57 percent of the network, which fell into a bucket of questionables.
By analyzing the flow of accounts, Barracuda was also able to create a "crime rate"--the percentage of accounts created per month that end up getting suspended by Twitter. This number would swing wildly based on real-world events, such as Oprah joining the network, or the World Cup kicking into gear, which would bring in big swells of new Twitter users, and, in turn, flocks of scammers.
These topical items were another area Barracuda focused on during the test. Much like trying to game conventional search engines to get new eyeballs, scammers were adding topic tags and/or popular words and phrases to tweets to get them to show up in the "Trends" field on Twitter pages and higher up on Twitter's search results pages. To track how widespread this practice was, Barracuda began grabbing popular search terms on Twitter every hour, and doing searches for them on the site. It would then look at the tweets that turned up, follow any included links, and look for malicious code on the resulting Web sites.
What they found, after five months of searching for popular words and phrases on Twitter as well as on more traditional search engines like Google, Yahoo, and Bing, was a total of 34,627 samples of malware. Twitter accounted for 8 percent of this total, with the other search engines logging the remainder.
"It's interesting, because we've been doing this work for probably nine months of a year now, and the last time we really examined it and looked back on this, it charted very differently," Judge said. "About 69 percent of the malware that we found was on Google at the time, only 1 percent was on Twitter."
"A couple things happened," Judge continued. "Google didn't necessarily get better--there was more malware--basically Bing, Twitter, and Yahoo got worse. So, as the amount of malware increased, Google pretty much stayed steady with the amount of malware that was found there, but the other engines we started to see become a little more equal opportunity."
To Twitter's credit, the company has made several efforts to keep this malware at bay. Back in March of last year, it began routing links through a filter that scans for malware and keeps sullied links from being posted. It also employed its own link-shortening service that similarly vets links. And the company transitioned to using OAuth, which lets users authenticate their credentials without providing a username or password, potentially keeping users from having their credentials hijacked by rogue third-party applications.
Judge closed by noting that Barracuda had put together its own tool that can help users see if they've accidentally befriended one of these spammy or scammy users, or posted one of their links. The free Profile Protector scans both your Facebook and Twitter profiles and identifies users that are on the company's watch list.