PandaLabs : Twitter

Rogueware campaign on Twitter continues...

Sean-Paul Correll — Thu, 04 Jun 2009 08:13:00 GMT

The Twitter Trends based attack we blogged about yesterday has expanded from just one trend to nearly all of them! Over the past 24 hours, there have been several thousand tweets targeting trending topics on Twitter and the numbers continue to rise.

Example Tweets:

As you can see from the example tweets, the cyber criminals are targeting twitter trends in real-time. I went ahead and captured every tweet up until about 8PM tonight and put together a Tag Cloud so that you can see what terms were targeted more frequently.

Clicking on any of the links will put you through a series of redirects, at which point you will arrive at a website prompting you to install a fake Adobe Flash plugin (flash_player_plugin.exe). If the so-called “plugin” is installed, then the computer will be infected with Adware/PrivacyCenter.

The emergence of this type of threat distribution method demonstrates how cyber criminals are adjusting and evolving to the newer services offered on the Internet. It’s especially dangerous with sites like Twitter, which offer up to the second updates (or live tweets) of events as they unfold in real time. In the future, sites which promote an unfiltered and open dialog through a global hive of users will have to think twice about the potential threats exposed by features or even API services that they offer.

Rogueware Campaigns blending in with Twitter Trends

Sean-Paul Correll — Wed, 03 Jun 2009 08:23:00 GMT

Update: 6/4/09 - Rogueware campaign on Twitter continues...

"PhishTube Broadcast" became a trending topic on Twitter today. The word “tube” is a big red flag to any Threat Researcher these days, so naturally I had to investigate it.

I clicked on the section inside of the trending topics group and ironically the links in the tweets looked fishy.

I started to investigate further and found that while there was definitely legitimate tweet traffic for the band Phish, several zombie accounts were posting hundreds of strange and highly suspicious messages. Eventually the links led me through several redirections and finally to PornTube malware websites.

Connections/Redirects leaving Twitter:

Clicking on any element inside of the PornTube page resulted in a run of the mill Adware/PrivacyCenter infection, but the interesting part of it all is that cyber criminals are starting to target social networking sites more than ever. In this case they took advantage of the open dialog on Twitter and essentially blended in with the trending topics in order to effectively trick unsuspecting users into clicking malicious links. This technique is strikingly similar to the Blackhat SEO tricks criminals use on search engines to place their malicious links at the top of search results.

Crypto Challenge

Sean-Paul Correll — Tue, 02 Jun 2009 00:41:00 GMT

Those of you who already follow me on Twitter know that every once in a while I throw together a quick, geeky puzzle for everyone to solve. After my last challenge, a few people asked me to make the next puzzle a little bit harder to solve. This meant including a few more steps and throwing in some visual elements in, as well.

The Top 10 people to direct message the solution to me on Twitter win a prize. Contest ends on 6/15/2009

I hope you all have as much fun cracking it as I did putting it together! :)

NjggNzQgNzQgNzAgNzMgNjMgNnMgNnAgNnMgNnIgNzMgNnAgNjEgNzMgNjggNzMgNnAgNjEgNzMg NjggNjQgNnAgNjQgNnMgNzQgNjcgNjUgNzQgNjQgNzIgNnMgNzAgNjIgNnMgNzggNjQgNnMgNzQg NjMgNnMgNnEgNzMgNnAgNjEgNzMgNjggNzUgNzMgNnAgNjEgNzMgNjggMzIgMzIgMzAgMzggMzAg NzMgNnAgNjEgNzMgNjggNjggNjkgNnIgNzQgNjQgNnMgNzQgNjggNzQgNnEgNnA=