ROFL this you on here? The latest Twitter Worm

At 2pm on Wednesday 9/24, wide scale reports started showing up on Twitter that a new Twitter worm sends you a direct message with the content “rofl this you on here? http://videos.twitter.secure-logins01.com”. The link opens a Twitter style log in page (albeit Twitter’s previous version of this page, they have a new one) which, except for being an old version and a stray angle bracket is convincing. Upon logging in the user’s credentials are stolen, and presumably direct messages are sent to each follower that user has.

The phishing site's Twitter login page.

The phishing site's Twitter login page.

The real Twitter homepage

The real Twitter homepage

Because direct messages are private it is not possible for anyone but Twitter itself to pinpoint both when the attack began and the original seeding of the attack (whether compromised user accounts, previously set up Spam/bot accounts, or another method. A number of accounts appear to have been affected; by 5pm TwitScoop (a service that monitors popular Twitter trends) started reporting trending words including “hacked”, “worm”, and “spreading”. The attack is effective based on two classic principles of social engineering: the message comes from someone you have previously followed (and implicitly trust on some level) and the message appeals to a combination of curiosity and vanity.

On Twitter you can only send a direct message to someone who is following you. Or put another way, only someone whose updates you have previously expressed an interest in and signed up for (followed) can send you one of these messages. This attack is the Twitter equivalent of e-mail phishing schemes that use an e-mail sent from someone else’s address book, essentially you theoretically know the person already and are more likely to open an e-mail received from them. Combine the suggestion that this person you know or know of has found a video of you online, a login screen that is familiar, and you end up with a number of compromised Twitter accounts.

The direct message containing the link to the spoofed Twitter login.

The direct message containing the link to the spoofed Twitter login.

This is far from the first worm Twitter has faced (Koobface, StalkDaily, mikeyy), and is not even the first direct message phishing style attack in this style. While labeled a worm on Twitter, it is not confirmed thus far that this is a self-replicating program, an important part of the definition of a computer worm, it just appears that way. In order to get some understanding of this, Twitter would have to release some analysis of their logging, showing some correlation between a compromised Twitter account, a direct message to a group of parties, and then a subsequent compromise and direct message from within that second group, and so on in the chain. For now we’ll assume this is the path this attack is taking with the evidence we have noticed thus far. Regardless since everyone is referring to this as a Twitter worm, for the sake of clarity, we’ll continue to call it a worm here and update if proven otherwise.

What happened if you did go ahead and put credentials in the login screen: Fail Whale.

If you did some string in for login or password, this is what you get.

If you put some string in for the login or password, this is the response.



No Newcomer

The URL in question is hosted in Beijing, China according to GeoIP, the host is listed as Chinanet Yunnan Province Network which is China Telecom’s (3rd biggest mobile telecom provider in China) internet service. The e-mail address used in the registration, [email protected], links this up to similar phishing sites for Twitter and MySpace identified in the malwaredomainlist forums back in July. That time around the site url was: secure-login.twitter.verifiylogin.com/twitter/. MySpace was cloned at rnyspece.com.

Another URL, Faecibook.com, with the same e-mail address for registrar is a phishing site that appears to prey on users in a way very similar to the Twitter attack, posting comments on Facebook such as this: “seen this really bad blog about you? http://www.jdsense.com/search/redirect.php?f=http://blogs.faecibook.com/sessionid?nglnbskuf”.

That e-mail was also used in a series of money transfer agent scams (money mules) with bogus charity phishing web sites (KPEREZHOME, Rodney Lawrence International, Edward White, et. al) all hosted on a problematic registrar, the Xin Net Technology Corporation.

A photographer, Warren Henke, wrote a blog post describing receipt of a phishing e-mail associated with this scam from the Glen Hamilton International Organization.

The phishing site.

The Rodney Lawrence International phishing site.

Something New

One of the differences with this attack that separates it from previous ones is that in the time since the more famous compromises of January of this year (Barack Obama, Britney Spears, CBS News, Kevin Rose) Twitter has implemented some controls around the login screen, including a CAPTCHA element that shows up after several bad password entries.

CAPTCHA is a program designed to differentiate humans from computers and prevent abuse by bots, automated programs used to generate spam among other things. It is a contrived acronym standing for Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHA has three primary principles: the computer can’t solve it, most humans can, and the tool does not rely on some form of obscurity such as being a new implementation.

reCAPTCHA, a free service that combines CAPTCHA with the digitizing of printed books, newspapers, and old radio shows.

reCAPTCHA, a free service that combines CAPTCHA with the digitizing of printed books, newspapers, and old radio shows.

Actually reCAPTCHA is used, a free service that combines CAPTCHA with the digitizing of printed books, newspapers, and old radio shows. When you are translating the image to text, you are acting as a human optical character recognition (OCR) translator. The service was acquired by Google this month. Circumventions of CAPTCHA have occurred with each step in the method’s evolution, starting in wide use from Yahoo’s EZ-Gimpy program, using roughly the same three step process: pre-processing or removing the background obscurities, segmentation or separating the letters, and classification or identification of each letter. Segmentation remains the one area where humans outperform computers; however, spammers are achieving some level of success in this area. Here is a good analysis from WebSense detailing how a service in Russia is achieving a 20% rate in automated breaks of CAPTCHA images.

So CAPTCHA, while not perfect, does help mitigate dictionary brute force password attacks in that it adds another layer of complexity to the authentication process. Some of the reasons for beating CAPTCHA are to be able to post blog comment spam, create fraudulent accounts such as the e-mail example above, and similar automated completion of web forms designed for human interaction. In these applications it makes sense: a download of the image, a translation to text, and the comment spam is posted, the e-mail account created, and so forth. If two or three out of every ten requests is successful, the comment will be posted or new account opened at an acceptable rate.

In a password cracking application, which moves through a number of password possibilities for each id quickly the additional processing combined with a less than perfect translation rate adds a level of complexity likely not used. With that in mind, how does the bad actor break into Twitter accounts easily? The answer may lie in the Twitter API, which while limiting the rate of requests still allows for a large request rate upon request. That is not to suggest that this is definitely what this attacker did, in fact the bad actor in this case may have previously had compromised ids, may have used more conventional spam tactics to get an original seeding of ids, or may have broken into a few early accounts as discussed here. Only Twitter could potentially have the log access to figure this out.

Filed Under: PhishingSecuritySocial Networking

Tags: , , , ,

Comments (7)

Trackback URL | Comments RSS Feed

  1. John says:

    Is there any evidence that this is a worm at all? From the description of the attack, all the code was server side. Even if completely automated, it would be a stretch to call this a worm since no code was ever executed on a remote system. It just gathered credentials and then re-phished with stolen accounts.

    • Prefect says:

      Agreed John, thus the comment in the article: “While labeled a worm on Twitter, it is not confirmed thus far that this is a self-replicating program, an important part of the definition of a computer worm, it just appears that way. In order to get some understanding of this, Twitter would have to release some analysis of their logging…”

  2. [...] the rounds this morning, which is actually an expertly crafted variant of the worm we reported back on September 24th. The variant has changed the direct message from “ROFL, this you on here?” to [...]

  3. [...] has been slowly closing loop holes in their authentication process over the course of this year. Back in September we pointed out the reCAPTCHA implementation had been on login that shows up when you enter too many [...]

  4. [...] Spoofed Twitter login page. But this attack is doing something interesting, it is including a “via @username” before the spam message in some cases. This could represent going to the next level of social engineering by not only having the spam message come from a user account you are linked to, but also claiming essentially to be a retweet (the use of via is used in Twitter messages to attribute a piece of information) of another trusted sources information. Alternatively it could be a method for avoiding the web site display resulting from Twitter’s new handling of the classic method for retweets (RT @Username: message) which many users have objected to. Both domains are hosted on the same IP address, IP geolocation shows this to be hosted in Hebei, China. Both reference the web site contact [email protected] which has been seen in earlier Twitter attacks. [...]

  5. [...] followed and trust on some level.  A similar “This you” phishing campaign first surfaced last September. The domain name uses the same email address used in the previous campaign:  lixing688 at [...]

  6. [...] followed and trust on some level.  A similar “This you” phishing campaign first surfaced last September. The domain name uses the same email address used in the previous campaign:  lixing688 at [...]