According to a blog post published by online security firm Trusteer on Monday, the malware basically uses Twitter like traditional malware uses emails — to carry out spear-phishing campaigns and spread itself to other ususpecting victims. Call it "twishing."
"This attack is particularly difficult to defend against because it uses a new sophisticated approach to spear-phishing," writes Trusteer's Dana Tamir in the blog post. "Twitter users follow accounts that they trust. Because the malware creates malicious tweets and sends them through a compromised account of a trusted person or organization being followed, the tweets seem to be genuine."
Twitter phishing — or twishing — is nothing new, although usually it's spread via direct messages or emails purporting to notify users of DMs. Seeing malware spread through regular tweets is more rare, though.
In 2010, Mashable reported on another similar Twitter security flaw that tried to infect users through regular tweets. And, more recently, the cyberespionage malware MiniDuke has even used fake Twitter accounts. But this might be the first time real Twitter accounts are hijacked to carry out phishing attacks.
"We haven't seen other Twitter attacks," Yishay Yoven, Trusteer vice president of marketing, told Mashable. Although he notes that they have seen multiple attacks using Facebook, as Mashable has reported multiple times in the past.
Yoven underlines the dangers of this kind of attack, noting that users aren't used to distrusting shortened links contained in tweets coming from people they follow. "You're trained to suspect emails; it's probably easier to use something like Twitter when it looks like it came from you," he said.
The malware targets Dutch victims, so the tweets make references to the Dutch Queen and her heir, the CEO of a Dutch bank, to make them seem more real. One tweet also mentions Beyonce.
Trusteer published three examples of malicious tweets: "Beyonce falls during the Super Bowl concert, very funny!!!!;" "Our new King William will earn even more than Beatrix. Check his salary;" and "CEO of [Dutch Bank] is off with our millions!! The minister is inspecting again... see." (The name of the actual bank was redacted by Trusteer.) Every tweet includes a shortened link that allegedly infects whoever clicks on it.
Trusteer reported that they've found these tweets being spread around by multiple accounts, proving that the campaign has successfully tricked numerous users into clicking on the malicious links. The company also published a few examples of malicious links, reporting that they seem to be inactive now.
Yoven told Mashable that they notified Twitter of the malware, but there's little the company can do to prevent this kind of attack. Yoven confessed that he doesn't know whether Twitter checks every link posted in every tweet but "even if they did, unless some third party provider told them that website is malicious, I doubt that they can actually do it themselves. It's very, very difficult to do it."
Yoven noted that the only way to avoid this malware is to be careful what you click on and to have anti-malware protection installed.
Mashable reached out to Twitter for comment but we have yet to receive an answer to our inquiries.
Who is behind this new type of malware? Trusteer doesn't know. That the malware's targets are for now limited to the Netherlands might indicate that the criminals behind this type of TorRAT are Dutch. But there's nothing that prevents malware like this to be used elsewhere. In fact, in her blog post, Tamir notes that this type of attack "can be used to target any market and any industry."
Mashable composite, Image via iStockphoto, alengo
New Malware Hijacks Twitter Accounts for Financial Fraud
