Social websites like Facebook and MySpace have attracted a great deal of attention as targets of opportunity for phishing scams, but they are scarcely the only two social networking sites. New information suggests that hackers have tuned in to the newfound popularity of microblogging, and are at the very least evaluating Twitter as a potential target.
In a blog post at Kaspersky Labs' Viruslist, Dmitry Bestuzhev describes the attack and how it functions. The Twitter profile itself was created specifically for the attack; profile information is posted in Portuguese. There's nothing on the page but a link to a video promising hot girl action, actually clicking on the file redirects the browser and instructs the user to download a new version of Adobe Flash that's supposedly required to watch the "film."
By this point, alarm bells should've been ringing if they haven't already gone off; end-users who install the fake Flash update end up with what Dmitry describes as 10 banker Trojans, all disguised as MP3 files. Based on information in the profile, the location of the web servers, and the e-mail the malware program sends, he believes this attack originated in Brazil—though it's virtually impossible to be 100 percent sure.
The actual payload is nothing new, and delivery requires little more than a web server and some Trojans. The threat, as is typical with phishing schemes, lies within the attack vector itself. The current structure of Twitter, according to Bestuzhev, leaves the service vulnerable to abuse. Unprotected Twitter profiles are indexed by Google, which could allow an infected profile to bounce to the top of a search index, and Twitter is currently vulnerable to an exploit that allows an attacker to force his victim to follow him on Twitter. The more followers attached to an infected page, the better the chances that the infection could spread. As the infection spreads, the profile's number of followers on Twitter rises, which increases the chance of infection…you get the idea.
Dmitry notes that this type of attack hasn't surfaced as a full-blown assault in the wild—at least not yet—but hackers are obviously taking a proactive approach to new delivery systems. Today's viability test can become next week's viral explosion, making it all the more important to patch flaws as they are discovered. As for Twitter itself, the very nature of the service could make it amenable to certain attack vectors. The best way to discover if an e-mail or website is genuine or not is to read it; the vast majority of phishing lures are written in lousy English, and a little context goes a long way towards classifying an e-mail. Twitter, by definition, is all about removing that context and cutting straight to the point in 140 characters or less.
There are still plenty of ways to tell a real Twitter user from a fake one, and the company has committed to patching the auto-follow vulnerability I mentioned earlier, so these loopholes will hopefully be closed before anyone manages to take advantage of them. Phishers, however, will probably follow the money trail, keen to present their wares to anyone they can convince to click in just one sentence or less.