Twitter and Facebook users were getting hit with scams on Monday.
Twitter users warned about direct messages that said, "I make money online with google. i learned how here [link]," according to Twitter users.
A Twitter representative said it was not a phishing scam because the site to which the spam links does not ask for a username and password, or look like a Twitter page.
"We're on it and fixing accounts as fast as possible," she wrote in an e-mail. "You can keep posted on known issues as well by checking in on the Twitter Status page."
On Facebook, meanwhile, people were seeing messages from friends that said, "just take a look at it and read it over and try it if you want [link]." The link goes to a site that appears to be hosting malware. Accounts that are generating the messages are likely compromised, and the owners should change their passwords immediately.
"We're aware of this campaign, and are blocking malicious URLs and resetting affected users' accounts," a Facebook representative said in an e-mail. "The link in the spam message is for a work-at-home scam, not a phishing site. We're still investigating, but it's likely people's accounts were compromised through a previous phishing scheme."
Twitter users warned about a "make money online with google" scam on Monday.
(Credit: Twitter Search)Updated at 3:39 p.m. PST with Facebook comment and at 2:15 p.m. PST with comment from Twitter.
Kaspersky unveiled a new tool on Thursday called "Krab Krawler" that analyzes the millions of tweets posted on Twitter every day and blocks any malware associated with them.
The tool looks at every public post as it appears on Twitter, extracts any URLs in them and analyzes the Web page they lead to, expanding any URLS that have been shortened, Costin Raiu, a senior malware analyst at Kaspersky, said in an interview.
The company is scanning nearly 500,000 new unique URLs that appear in Twitter posts daily, he said. Of those, anywhere between 100 and 1,000 are malware attacks. Twitter has also been targeted by the Koobface virus which posts malicious links from infected users' accounts.
About 26 percent of the total posts contain URLs, and many of those lead to spam sites that are marketing products or services and aren't considered malware, according to Raiu. Tens of thousands of different accounts are posting spam links, most likely from accounts created by bots, he said. The most frequent URLs posted lead to online dating sites, he added.
Twitter has its own filtering system, but some malicious links still manage to get through, Raiu said.
While Kaspersky's regular antivirus software may detect and block 95 percent of the malware Twitter users are threatened with, malware code changes frequently to evade filters and it could take between two and 12 hours for new stuff to be classified as malicious and detected, he said.
While antivirus companies have traditionally focused on protecting e-mail-borne viruses, they are increasingly turning their attention to social-media sites as attackers do.
Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links, said Morton Swimmer, a senior threat researcher at Trend Micro.
Meanwhile, Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Gmail, Blogger, MSN, MySpace, Google search, Yahoo, and other sites.
Social-media sites are popular for attackers not only because people are flocking to them, but also because users seem to trust messages that appear to come from friends on those sites more than they trust e-mails, Raiu said.
"People are worried about unsolicited e-mail, so they are careful not to run the programs they get by e-mail, but they aren't prepared to deal with these kinds of new attacks," he said.
The most common piece of malware associated with Twitter links is Trojan-Clicker.HTMLIFrame, a malicious JavaScript that can get downloaded to a computer when it visits a compromised Web site.
(Credit: Kaspersky)
This is Twitter's spam warning.
(Credit: Twitter)Twitter warned on Wednesday about a new phishing attack in which direct messages to users link to a fake log-in page that steals passwords.
"We've seen a few phishing attempts today; if you've received a strange (direct message), and it takes you to a Twitter log-in page, don't do it!" the Twitter spam warning says.
The direct messages say: "hi. this you on here? http://blogger.djh****.com," Sophos reports in a blog post. The full URL is obscured to prevent people from unwittingly visiting the phishing site.
Clicking on the link takes a user to a page that looks like a legitimate Twitter log-in page. When the user types in the username and password, a fake version of Twitter's "over capacity" message is displayed, with the image of the notorious "fail whale" held aloft by birds.
"When I visited the page, I was then slingshot to another Web page on Blogspot.com, claiming to belong to a blogger called NetMeg99," Sophos researcher Graham Cluley wrote. "It's not clear if NetMeg99 is involved in the phishing scam, but there is a suggestion that her Web page did also try to phish for credentials at one point."
If you have been duped by this phishing ruse, Sophos suggests that you immediately change your password at Twitter and any other sites where you used the same log-in credentials.
A new phishing scam is spreading through Twitter via direct messages, according to several reports.
Itamar Kestenbaum writes on his JewNews.net blog that he received a direct message on his Twitter account from someone he didn't know that said "rofl this you on here?" followed by a link to what appeared to be a video-related Twitter page.
The page looks like a legitimate Twitter log-in page but nabs your credentials if you type in your password, he warns.
Meanwhile, a posting on the Mashable blog said the site had received multiple reports of the new phishing scam and that someone there had even received one of the phishing-related direct messages themselves.
No word on this yet on Twitter's official blog or from a Twitter spokesperson. We'll keep you posted as we hear more.
In the meantime, if you clicked on the phishing link and typed in your credentials, you should change your password immediately.
Update at 5:30 p.m. PDT: Twitter acknowledged the phishing scam in a tweet on Wednesday that said "A bit o'phishing going on--if you get a weird direct message, don't click on it and certainly don't give your login creds!"
JewNews.net captured this screenshot of the phishing-related direct message Twitter users are receiving and the fake log in page the link directs to.
(Credit: JewNews.net)
A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.
Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.
Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.
But in this case, the Twittering botnet doesn't necessarily highlight a vulnerability that would be unique to Twitter.
"Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication," Coogan wrote.
This post was updated at 1:05 p.m. PDT to note that Arbor Networks also reported the Twitter-based botnet.
The Georgian blogger whose Twitter, Facebook, and YouTube accounts were targeted in denial-of-service attacks on Thursday, says he thinks Russia's federal security service is behind it.
"This hackers was from Russian KGB," the blogger, who uses "Cyxymu" on his accounts, wrote in a tweet early on Friday, adding later: "My twitter is online! Thank you all for support after ciber attack from Russia!"
Because of the difficulty in tracing distributed denial-of-service (DDoS) attacks back to the source, unless someone takes credit for the attack or brags about it to online associates, it's nearly impossible to determine exactly who was responsible.
Cyxymu is identified as a 34-year-old economics lecturer named Georgy from Tblisi, Georgia, by The Guardian. His blog postings are critical of Russia's dealings with the Caucasus region and his screen name is a Latinized version of the spelling of Sukhumi, the capital of Abkhazia, a breakaway Georgian republic.
"Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," he is quoted as saying. His LiveJournal account was attacked last year, as well, according to the report.
The DDoS attacks came on the eve of the one-year anniversary of a significant military clash between Russia and Georgia, which have had an ongoing conflict. In the 2008 South Ossetia war that began on August 7, 2008, Georgia attempted to retake control of South Ossetia and Russia launched air strikes against Georgia.
"When the war started in South Ossetia last year I couldn't avoid being drawn into politics," the blogger said.
The Georgian government is investigating potential links between its citizen and the attacks, and there are suspicions that the attack came from Russia, Shota Utiashvili, head of the Department of Information and Analysis at the Ministry of the Interior, told CNN.
Twitter was down for hours on Thursday during the attack, and LiveJournal suffered an outage. Facebook, and Google--whose Blogger, Google Sites, and YouTube were also affected--were able to fend it off.
Whoever was behind the attack may also be responsible for a spam e-mail campaign launched before the DDoS attack and targeting the blogger's accounts. In that attack e-mails were sent out that looked like they came from the blogger and included hyperlinks to his accounts on the targeted sites. A Facebook spokesman and others said that a spam attack would not have been effective enough to cause a DoS outage.
On his Blogger account the Georgian posted a copy of a Russian language news article in which he himself says the spam attack did not cause the DDoS attacks.
The Cyxymu accounts were back up on Friday on Twitter and Facebook (where he's a fan of John McCain), but his LiveJournal account appeared to still be inaccessible though a cached version was available on Google. His YouTube account, meanwhile, never went down.
Thursday's denial-of-service attack that knocked Twitter offline for a few hours and affected Facebook, LiveJournal, and Google Sites and Blogger wasn't your average attack.
Typically, someone who has a bone to pick with a specific Web site will round up some hijacked PCs and use them to try to shut the site down. In this case, whoever was responsible was trying to block access to a specific user's accounts and not the sites themselves.
Denial-of-service attacks aren't always straight forward and this one has its own unique twist. Let's take a look at what happened and why.
What's a denial-of-service attack?
A denial-of-service (DoS) attack is any effort designed to interfere with access to a Web site or Internet service. A common method of attack involves flooding a target server with so many communications requests that legitimate traffic can not get through. This can shut down or slow down the site temporarily.
Web sites aren't the only things that can be targeted in DoS attacks. Unplugging someone's computer is a very basic type of DoS attack.
What's a distributed-denial-of-service (DDoS) attack?
Because Web sites are built to handle a lot of traffic, it can take millions of simultaneous communications requests to have enough affect on the performance of the server for an attack. In a DDoS attack, tens of thousands or even millions of computers are used to send traffic to the target site all at the same time and repeatedly. As Sophos' Graham Cluley wrote on his blog: "It's a bit like 15 fat men trying to get through a revolving door at the same time--nothing can move."
What's a botnet?
The hijacked PCs that are used in a DDoS attack comprise a botnet. The individual computers are called "bots," "zombies" or "slaves" and are controlled remotely by the "master" attacker. The attacker relays instructions to the bots via a command-and-control server, typically using IRC (Internet Relay Chat). Botnets are also used to distribute spam. Some newer botnets, like one created by a version of Conficker, relay instructions via peer-to-peer.
How does an innocent PC become a bot?
There are different ways a criminal can get programs onto computers in order to turn them into bots that they can control. Often, criminals send spam with attachments containing malware or links to Web sites hosting malware. The malware--typically a worm, Trojan horse, or backdoor--is installed on the computer when the attachment is opened or the URL link is clicked. Many computers are compromised by drive-by downloads in which hidden malware on Web sites exploits Web browser vulnerabilities and is downloaded onto the visitors' computer without their knowledge.
Computer users usually have no idea that their computer has been compromised and botnet operators like it that way so they can keep using the bots indefinitely. Now, criminals who don't want to bother with do the grunt work necessary to compromise an army of machines can just lease one. A recent study by Finjan found that an underground network was offering to let criminals rent a botnet for as little as 5 cents to 10 cents per bot.
What happened in the DDoS that caused the Twitter outage this week?
While most DoS attacks are designed to take down a specific Web site, Thursday's DDoS attack targeted someone who has accounts on the different sites--a Georgian blogger, who uses the account name "Cyxymu" and who has accounts on Twitter, Facebook, LiveJournal, and Google's Blogger and YouTube.The affected companies worked together to investigate the attacks and discovered that Cyxymu was the common thread linking the sites. An investigation is pending into who launched the attack and why.
In a clear and simple way, this Cisco graphic shows the relationship of the parties in a DDOS attack.
(Credit: Cisco) How many bots are needed to take down a Web site?
The number depends on how much resources, servers and bandwidth, the target site has. It can take 25,000 to 50,000 bots to cripple a typical site and as few as 10,000 or less for a small Web site, according to Kevin Stevens, a security researcher for SecureWorks' Counter Threat Unit.
It's difficult to know exactly how big any particular botnet is and guesses vary widely. For example, estimates of the Conficker botnet ranged from 500,000 PCs to 10 million.
Who launches a DoS and why?
Unless someone takes credit, it's nearly impossible to find out who is responsible for a DoS attack. Often attackers will send traffic through proxies so there is no direct link to the source, even if investigators can get a hold of a bot used in an attack to dissect the code. Bots also may be located in another country.
The first big DDoS attack, in February 2000 took down some of the Web's most popular sites for hours, including Yahoo, CNN, eBay, Amazon.com, Buy.com, and E*Trade. The U.S. Federal Bureau of Investigation promptly held a news conference to discuss the disruption to the Internet and eventually tracked down the perpetrator, 15-year-old "Mafiaboy," after he bragged about it to friends online.
Mafiaboy was most likely trying to get attention, like script kiddie hackers do when they deface Web sites. Other attackers have different agendas. For instance, there are politically motivated DDoS attacks, such as those involving Russian and Georgian sites last year. Estonia sites were attacked in 2007. Meanwhile, the origin of recent DDoS attacks targeting U.S. government sites and sites in South Korea remain a mystery.
What kind of damage can a DoS attack do?
A DoS can make a Web site completely inaccessible to anyone for a period of time, like the most recent attack did with Twitter. Or it can be equivalent to a hiccup, slowing down page loads or affecting only part of the site.
Sites that aren't in the direct line of fire can also be affected. For example, if a company that is attacked is hosting images or content that is fed to other sites, those other sites may have trouble. So many sites feature Twitter updates that it's likely some of those associated sites were impacted when Twitter was down and the ancillary site's requests to get updates were ignored.
How can a DDoS be prevented or stopped?
There is no surefire way to prevent a DDoS attack. However, a company can reduce its risk by buying plenty of servers and bandwidth, and hosting content on backup servers. Companies can also limit the number of connections that the Web server allows at any one time and set the firewall to block certain types of data that are used in DDoS attacks, said SecureWorks' Stevens.
In addition, companies can ask the ISP to impose bandwidth limits and to block the IP addresses serving up the attack. Some companies offer DoS detection software, and sites can configure their Web server to monitor traffic patterns and automatically ban IP addresses that could be associated with an attack.
In 2001, the White House was able to thwart a DDoS attack that was programmed into the code of the Code Red virus by moving the site away from the targeted IP address. And in 2005, Microsoft sidestepped a DDoS that was going to be triggered by PCs infected with the Blaster virus by killing the targeted IP address.
Once an attack has been launched a company can try to redirect the attack traffic to a null IP address, or a black hole, according to Trend Micro's David Perry.
More information on prevention and mitigation can be found on the SANS Web site and on the US-CERT site.
What can individuals do to prevent their computers from being used in a DDoS attack?
To keep malware off a computer, people should install the latest operating system and application patches, update their antivirus and other security software, consider using auto-updates for browsers and be careful about opening up attachments and visiting Web sites.
Larry Magid of CBSNews.com has more information for consumers on his Safe and Secure blog.
A Georgian blogger with accounts on Twitter, Facebook, LiveJournal, and Google's Blogger and YouTube was targeted in a denial-of-service attack that led to the sitewide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.
The blogger, who uses the account name "Cyxymu," (the name of a town in the Republic of Georgia) had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News.
"It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard," Kelly said. "We're actively investigating the source of the attacks, and we hope to be able to find out the individuals involved in the back end and to take action against them, if we can."
Cyxymu LiveJournal account on cached version of Google.
(Credit: LiveJournal)Kelly declined to speculate on who was behind the attack, but he said: "You have to ask who would benefit the most from doing this and think about what those people are doing and the disregard for the rest of the users and the Internet."
Twitter was down for several hours beginning early Thursday morning, and it suffered periodic slowness and time-outs throughout the day.
Cyxymu's LiveJournal page wasn't accessible, but a cached version showed that it was updated on Thursday with a message about the denial-of-service, or DoS, attacks on his accounts on the United States-based sites. "Now it's obvious it's a special attack against me and Georgians," said the message, in Russian.
The site also apologized for a spam e-mail attack in which the sender was spoofed and made to look like the e-mails were sent by him. Screenshots are shown. It's unclear whether or how the spam attack is related to the DoS attacks.
In the distributed denial-of-service (DDoS) attack on the sites, computers that have been compromised by viruses or other malware are instructed by the attacker's computer to visit the specific Web sites all at the same time and repeatedly. The barrage of connection requests overwhelms the target sites, making it so that legitimate Web traffic can't get through.
Such coordinated attacks require the efforts of tens of thousands or more of hijacked computers, which together form a botnet. Spammers send e-mails with malicious attachments or URLs to millions of people to create botnets. Criminals also can lease existing botnets for specific campaigns for as little as 5 cents to 10 cents per bot.
A Facebook representative dismissed a theory that the attack was triggered by a spam campaign in which e-mails had links to the sites. It's unlikely that there would be enough recipients--all clicking on the URLs at the same time--to bring a site down, he said. There was a spam campaign that directed people to Cyxymu's accounts, but it wasn't the cause of the DoS, he said.
"The people who are coordinating this attack, the criminals, are definitely determined and using a lot of resources," Kelly said. "If they're asking our infrastructure to generate hundreds of pages a second, that's a lot of pages our users can't see."
Facebook and Google were able to minimize any impact to their sites, including Blogger, YouTube, and Google Sites, a free Web site service. Facebook even managed to keep the Cyxymu account accessible to Web surfers from that region, Kelly said, though it was inaccessible to people in other geographic areas, including San Francisco.
This was the first coordinated attack on the sites, and all the companies involved were working closely on the investigation, he said. "My team and the teams that are working together at all these companies are doing a really good job very quickly, and I'm proud and happy," he said.
Twitter and LiveJournal did not immediately return e-mails and calls seeking comment.
A Google representative offered this statement: "We are aware that a handful of non-Google sites were impacted by a DoS attack this morning and are in contact with some affected companies to help investigate this attack. Google systems prevented substantive impact to our services."
Political conflicts between Russia and its former republic spilled online last year with DoS attacks and Web site defacements going in both directions.
For more information, listen to Larry Magid's podcast interview with Elinor Mills.
Updated at 7:39 p.m. PDT, with Facebook saying a spam campaign did not cause the DoS, and at 6:35 p.m., with information from Cyxymu's site, more about the spam attack, how DDoS attacks work, and background on the Russia-Georgia conflict.
Twitter's new malware filter is a sign the social media site is stepping up efforts to stem attacks, but the measure has its shortcomings, say security experts.
Twitter's filtering mechanism was highlighted by Mikko Hypponen, chief research officer of F-Secure, in a blog post Monday. When a user tries to submit a tweet with a suspect Web link, the following warning appears:
"Oops! Your tweet contained a URL to a known malware site!"
Twitter's latest security measure was a positive one, especially in light of the current threats directed at the site, Hypponen told ZDNet Asia in an e-mail interview. The site, he noted, has been "attacked in many ways" including spam, worms such as Mikeyy, and phishing, he noted.
"None of these problems are at epidemic levels yet, but it's great to see Twitter take real action on this," he said.
Hacking is another challenge the popular microblogging site faces. In May, Twitter confirmed its network was hacked and some individual account information were leaked.
Dancho Danchev, independent security consultant and cyber threats analyst, noted that the site's latest security move was an indication "Twitter is finally moving from reactive to proactive security practices." However, he pointed out in a blog post on ZDNet Asia's sister site ZDNet.com, that the malware filter was "clearly still in development" and showed "disappointing results."
Danchev pointed to how a MySpace phishing page used in a tweet triggered the security filter, but was eventually accepted by adding a "http://" or removing the "www".
He noted that the site also allowed tweets containing links to several known malicious sites listed in Stopbadware's database, which has identified over 380,000 sites identified as unsafe. While it would not prevent the abuse of Twitter in the longer term, the failure to integrate such databases listing known malware was a "missed opportunity", Danchev said.
Twitter did not respond to e-mail queries from ZDNet Asia at press time.
Vivian Yeo of ZDNet Asia reported from Singapore.
Spam and botnets have hit their highest levels ever, according to McAfee's second-quarter Threats Report, released Wednesday. McAfee's Avert Labs says spam recorded in the second quarter shot up 80 percent compared with the first quarter of the year.
This follows a brief reprieve from spam following last year's shutdown of the McColo ISP. June alone saw the largest amount of spam recorded by McAfee, surpassing the previous monthly high in October by more than 20 percent. McAfee now estimates that spam accounts for 92 percent of all e-mail.
(Credit:
McAfee Avert Labs)
By country, the amount of worldwide spam originating from the United States has dropped steadily over the past three quarters, but the U.S. still leads in spam production at 25.5 percent of the global market. Brazil, Turkey, India, and Poland have also seen sizable increases at producing spam.
(Credit:
McAfee Avert Labs)
Zombies and botnets are on the rise, said the report, indicating that more computers are being hijacked to send spam and malware. McAfee recorded almost 14 million new zombies in action over the second quarter, a rise of more than 150,000 new zombies each day, another record.
Zombies and botnets can thank all the unprotected home computers, notes McAfee. More home users are setting up their PCs as remote access machines and as Web hosts, leaving those PCs increasingly vulnerable.
Another major threat reported by McAfee is AutoRun malware, which is triggered automatically when a person plugs in a USB stick, memory card, or other external device. The Trojans PWS-OnlineGames and PWS-Gamania and two viruses named W32/Sality and W32/Virut have propagated through removable cards and drives.
McAfee said it uncovered AutoRun malware in more than 27 million infected files during one 30-day period alone this past quarter, earning it the No. 1 spot of all malware detected worldwide.
(Credit:
McAfee Avert Labs)
"The jump in bot and spam activity we saw in the last three months is alarming, and the threat from AutoRun malware continues to grow," said Mike Gallagher, senior vice president and chief technology officer of McAfee Avert Labs.
Social-networking sites are another popular target for cybercriminals, noted the report. The openness of social networks often puts them at risk.
On Facebook, people freely access different applications that require a username and password, so those apps can easily tap into their accounts. McAfee also saw an increase this past quarter in the "popular" Facebook malware Koobface.
Twitter too has seen its share of threats. In April, the site was hit by a JavaScript worm that exploited a hole to infect user profiles. The same month, a French hacker was able to gain access to the account of a Twitter product director.
The use of sites like TinyURL by tweeters to shorten a lengthy URL can also pose a problem, said McAfee. Users have no idea what Web site the TinyURL redirects to until it actually opens.
McAfee releases its Threats Report each quarter. The first-quarter report was published in May.
