“Hi. This you?? LOL” Twitter Attack Snares Kevin Mitnick

| Nov 30, 2009 | 1 comment

Mitnick_Color_biggerHistorically the “Is this you?” style Twitter attack seems to be seeded by either an original break in to the victim’s Twitter account, or that user having provided his or her credentials to a phishing style web site made to look like Twitter as the attack propagates through the popular micro-blogging service. This time around however, the account of security consultant and former cracker Kevin Mitnick was caught up in this generic, untargeted Twitter “worm”.

The @KevinMitnick twitter account message linking to a phishing site.

The @KevinMitnick tweet linking to a phishing site.

This Attack

TweetMixx contains 889 references to this URL and the same message, so Kevin’s account wasn’t the only one the bad actors used to spam Twitter accounts. The URL referenced http://pduda.mobi/adgga is a shortened URL which appears to lead to: http://albums.twitter.placement-selection.com, a spoofed Twitter authentication page. The .mobi extension is a top level domain for mobile sites.

This scam appears to also have been perpetuated with messages of:

  • “I think I found ur high school photo
  • “My friend shoed me you on here:”
  • “hi, I want to see if you will score higher on this iq test. take it here”
  • “see if your iq is higher than mine. Take the iq quiz”

These tweets have appeared all over Twitter in the last week of November. This second scam sometimes includes a link with the same sub-domain structure as the one above (twitter is spelled wrong in the sub-domain), but with a different second-level domain (sarrispromo.com). Both domains lead directly to the Twitter login page with the extra “>” brace character we have seen before.

Spoofed Twitter login page.

Spoofed Twitter login page.


But this attack is doing something interesting, it is including a “via @username” before the spam message in some cases. This could represent going to the next level of social engineering by not only having the spam message come from a user account you are linked to, but also claiming essentially to be a retweet (the use of via is used in Twitter messages to attribute a piece of information) of another trusted sources information. Alternatively it could be a method for avoiding the web site display resulting from Twitter’s new handling of the classic method for retweets (RT @Username: message) which many users have objected to.

Both domains are hosted on the same IP address, IP geolocation shows this to be hosted in Hebei, China. Both reference the web site contact lixing688@gmail.com which has been seen in earlier Twitter attacks.

The History That is Mitnick

Mitnick is often cited as the Frank Abagnale (the famous check counterfeiter featured in ‘Catch Me If You Can’) of computer security, but the actual history of Kevin Mitnick is an unmitigated mess. He is well known in computer security circles as a former cracker turned security consultant and author, which is where the Abagnale comparison comes into play. He is acknowledged for the most part as being an expert in social engineering and for successful phone phreaking exploits. In 1988 he was convicted and sentenced to 12 months in prison after breaking into and copying software from Digital Equipment Corporation (DEC). After release he cracked into voice mail computers of Pacific Bell, a warrant was issued for this arrest, and he fled all the while continuing cracking into systems. Among his confirmed criminal acts are cracking into the systems of Motorola, NEC, Nokia, Sun Microsystems, and Fujitsu Siemens, the aforementioned crack into DEC systems to look at VMS source code, gaining admin access on a Computer Learning Center IBM minicomputer, and using the Los Angeles bus transfer system to get free rides as a kid.

Mugshot

After a highly publicized pursuit, Mitnick was taken into custody by the FBI in Raleigh, NC in 1995 and in 1999 as part of a plea agreement confessed to four counts of wire fraud, two counts of computer fraud, and one count of illegal interception of a wire communication. He received 46 months plus an additional 22 months for violating the terms of his 1989 supervised release. Four and a half years of his sentence was served pre-trial (right to a speedy trail?) with eight months in solitary confinement due to unreasonable projections of his capabilities by law enforcement, including the oft repeated: could “start a nuclear war by whistling into a telephone.”

On January 1st, 2000 he was released and subsequently founded Mitnick Security Consulting LLC. He has written two books, The Art of Deception and The Art of Intrusion and contributed to the 2009 release of Unauthorized Access written with Wil Allsopp.

Controversial author and Mitnick sleuth Tsutomu Shimomura.

Controversial author and Mitnick sleuth Tsutomu Shimomura.

Past the accepted facts, the story becomes murky. We are left to rely on the story of Mitnick himself, the FBI, a highly controversial book by John Markoff (NY Times journalist) and Tsutomu Shimomura called Take-Down and a follow up book by author Jonathan Littman, The Fugitive Game: Online with Kevin Mitnick, which seeks to debunk as fiction much of what is presented in Takedown. The FBI acknowledges the involvement of Shimomura in a very limited way, but the inconsistencies in his book have made it problematic to believe much of his story.

Markoff also wrote Cyberpunk, which tells the stories of Mitnick and others, but has been criticized for not actually interviewing the still living subjects about their exploits. Mitnick himself has largely been under a gag order that ran until January 29th, 2007, the next month he announced he was writing an autobiography which has yet to be released (expected Spring 2010).

Not a First Timer

Mitnick has been a victim of crackers before, although in those cases it was targeted attacks. Most recently in July of 2009 on the eve of the Black Hat Conference, his web site was defaced with gay pornography and the message “all aboard the mantrain”. Think train to get an understanding of the image displayed. The group Zero for 0wned (zf0) published details of their exploits against Mitnick as well as other security professionals along with commentary:

Kevin has become the media rep for the hacker community, something which he has grown further and 
further apart from ever since his release. Without John Markoff's sensationalist reporting Kevin Mitnick 
would not have the notoriety that allows him to earn his money providing keynotes at conferences all over 
the world. Kevin is polluting the media with bullshit. Whilst we understand that owning him is something 
which has been done many, many times, we felt that not presenting his insecurity publicly would be wrong. 
Since 2003 this has been done three times of note and Kevin has used his enormously powerful SOCIAL 
ENGINEERING techniques to escape with an unharmed repuation each time. The fact is that he cannot 
secure his systems because he does not know how.

From Summer of Hax, July 28th, 2009 by zf0.

What does the Twitter compromise prove?

Let’s assume Kevin is adept enough that he did not provide his credentials to a fake Twitter site. This also does not look like a targeted attack, rather it looks as though his account was caught up in a generic spamming attack against Twitter. What are we left with: a weak or easily guessable/brute forced password? Have bad actors figured out the CAPTCHA mechanism in an efficient way for password brute forcing, or are they breaking in via the Twitter application program interface? The Twitter API represents a delicate balancing act for Twitter, much of the popularity of their service is based on the ability of developers to release tools based on the API, it can not be left as a weak authentication path but it can not be overly onerous to use. Twitter engineers are faced then with an unenviable challenge.

This might demonstrate the pervasiveness of attacks on Twitter, as even security personalities are not immune to account hijack. It would depend largely on the attack vector, how were the credentials for Kevin’s account exposed, was his password of sufficient complexity? However if the password was of sufficient complexity, if credentials were not provided to a phishing web site, if the credentials are not the same used at another web site with weaker security controls, then there may be little to question to question the victim on.

Rather this juncture is again an excellent opportunity for Twitter to research their logs and start reporting to the world what they are actually seeing (failed password attempts, exploitation of alternate authentication paths with weaker controls, etc.). It is time to publish the ‘Twitter Security’ blog. Hiring a head of information security to write it would be a great first step (he or she could work on other things at Twitter while there).

But maybe this is summarized best as Adrian Lamo, the former grey hat hacker now journalist famed for his 2002 break in to the New York Times, who stated in relation to this compromise: “These things happen.”

Updates:

  • Kevin Mitnick responds: “Yup, I used a VERY simple password just as I do for junk accounts like latimes.com, etc. Now it’s just a little bit harder, but not much :-) “

Related Posts:


Filed Under: Social Networking

Tags: , , , ,

Comments (1)

Trackback URL | Comments RSS Feed

  1. maht says:
    December 1, 2009 at 6:50 AM

    Twitter advertise using unencrypted HTTP Auth, so it could be easy to be snared by a third party client leaknig your pw

    http://apiwiki.twitter.com/Things-Every-Developer-Should-Know#8AcommandlineisallyouneedtousetheTwitterAPInbsp

    Reply

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.