In the wake of recent account compromises, including Associated Press and the rampant breaches orchestrated by the "Syrian Electronic Army", Twitter have recently released 2FA (2 Factor Authentication), which is a most welcome addition to bolster users' security. It is not, however, the be-all and end-all: users are still responsible for choosing strong, hard-to-guess passwords. If your password is compromised, control of your account may be lost to malicious actors.

While it's true that, given enough time and resources, all passwords are crackable regardless of their complexity – a pass-string of 200 random characters is ultimately just as vulnerable to brute forcing as a password containing just one character – the aim of a complex pass-string  is to make an attack temporally infeasible. Let’s first take a look at the total number of possible combinations for a given base of elements:

This table encompasses repeating characters and is subject to lexicality (ordering).

Of course, the first row contains all possible words in the English language, up to 8 characters. This may seem an unattainable number of combinations, but with modern GPUs (Graphics Processing Units) able to calculate hashes at a rate of up to 772 MH/s (772 million hashes per second) , the first row would be exhausted in around 270 seconds, or about 4.5 minutes.

A user is unlikely to choose 8 arbitrary characters when creating a password that will be used on a daily basis; a typical string is likely to have some semantic content, such as a dictionary word (and various mutations thereof). Knowing this, crackers have produced many aids for this type of attack, including dictionary files and Rainbow tables – similar to dictionary files, but containing pre-computed hashes and the plaintext equivalent.

To give an example of how quickly weak passwords can be cracked, we set up a test using a simple Python script and Backtrack 5’s Hydra combined with a moderate GPU, and targeted a test SMTP account:

Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2013-05-23 07:08:12

……

login: ******   password: dave123

[VERBOSE] using SMTP LOGIN AUTH mechanism

1 of 1 target successfully completed, 1 valid password found

Hydra finished at 2013-05-23 07:08:51

<finished>

The password contained only 36 possible chars: lower case a-z & 0-9, and was cracked in 39 seconds.

While major sites will have (or should have) authentication attempt throttling, it’s not uncommon for minor sites to allow unlimited attempts to access an account, which, coupled with password reuse, is a huge problem.

Users I have spoken to told me they use different passwords for different sites in almost all cases. When quizzed further, I found they typically used the same base string with some simple mutations, for example:

password
Password
Passw0rd
passw0rd!1
pa$5w0rd!1

Knowing the base string, and with a very simple substitution (1337, symbols etc.) algorithm, we can crack these accounts in mere seconds. It’s trivial for an attacker to automate this process, meaning accounts on some forgotten, compromised server can be obtained, leading to accounts with the same user name being attacked and possibly compromised.

As Twitter will attest, using secure, hard to guess pass-strings and varying user names (not always possible)  are an absolute must for anybody who uses systems, applications, or sites accessible to others. Remember, it’s not just the internet that has people after your credentials; rogue employees and disgruntled exes, to name but two, are on the lookout for your details. 

To ensure accounts are as secure as possible, it’s advisable to:

1. Use strong, hard to guess, non-dictionary pass-strings. If the app doesn't allow you to use a mix of alphanumeric and special characters, you may not want the owner to have your details.
2. Never, ever reuse passwords. It’s also good practice to not reuse passwords with simple substitutions.
3. Ensure old accounts are deactivated where possible. Although you cannot trust a database would be purged of credentials, it’s certainly a start.
4. Think before signing up to a site or service; always read their security policy.
5. Be vigilant! Phishing is an easy-win for cyber criminals, so don’t give them an easy ride – sites and services will (or should) _never_ ask for your password via email.

Abiding by these rules will help make passwords as secure as they can be.

Hot on the heels of Friday’s announcement by Twitter that they ‘detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data’ and subsequent confirmation that ‘attackers may have had access to limited user information’ for  ‘approximately 250,000 users’,  Websense® Security Labs™ are tracking a phishing campaign propagated via Twitter’s direct message functionality.

Whilst no correlation between the two events can be drawn at this time, Twitter users should be on guard for signs of their own account being abused or compromised, as well for abnormal signs or unusual behavior (or perhaps in many cases, more unusual than normal) from those that they follow. Specifically, users should be cautious, as always, when following any links received from direct messages or Tweets particularly if the page you've been directed to is asking for your credentials or personal information.

Given the recent compromise, Websense Security Labs suggest that you regularly check your online accounts for signs of compromise and, as if anyone needs an excuse to do so, regularly update your suitably complex (and most definitely not your pet/team/town or dictionary word) password as well as reviewing the permissions granted to third-party applications that have access to your accounts (Twitter: How to Connect and Revoke Third-Party Applications). Should you have been unlucky enough to fall victim to this recent compromise, you'll have hopefully received a notification from Twitter that suggests these actions along with some general tips for account security:

Thankfully there are also suggestions, given this recent article on The Guardian’s Web site, that Twitter may be looking to implement two-factor authentication in the future as they are currently advertising a Product Security Software Engineer role in which the successful candidate would have the opportunity to work  with “user-facing security features, such as multifactor authentication”. The implementation of two-factor authentication would be a welcome addition to Twitter’s service which, based on figures released in 2012, has an estimated 500 million users, of which 200 million are estimated to be ‘active’.

The recent compromise is reported to impact 250,000 users, a mere 0.0005% of total users or 0.00125% of active users, and therefore may seem a somewhat small drop in the Twitter ocean. It is not unsurprising, therefore, that attackers are continuing to target Twitter users by dumping a barrel load of phish into this metaphorical ocean.

This recent phishing campaign, given the samples analyzed by Websense Security Labs so far in this incident, is using lures likely to elicit a click when received from a friend or associate, such as Did you see this pic of you? lol followed by a shortened URL.

Interestingly for us, and hopefully you, the use of Bitly’s URL shortening service allows us to append the URL with a plus ‘+’ and then view statistics for the shortened URL:

Whilst the click rate for the above example is low, we’ve seen numerous unique Bitly shortened URLs related to just one account, and would expect the perpetrators behind this campaign to rapidly cycle these in order to avoid detection and to increase the chances of catching more victims.

From all of the Bitly URLs analyzed, the statistics indicate that the victims are not confined to any one geographical area and that users are following the links. With regard to the small percentage of non-Twitter referrers, these could be Tweets or Direct Messages accessed via other applications or  indicative that the campaign is not limited to Twitter itself.

Once followed, the shortened URLs lead to what appears to be an intermediate and changing subdomain on hecro(.)ru which in turn redirects to active phishing sites hosted on a variety of typosquat-style domains:

The phishing URL in the above example, Tivtter(.)com (ACEInsight Report) appears at a glance to be legitimate and therefore is likely to dupe some unsuspecting victims into believing that they need to 're-login' to their expired Twitter session. The URL in this example also appears to cycle through an alphabetic sequence of folders containing the phishing page, perhaps in order to gather some statistics or to split the campaign in some way, as we've seen active examples from /a/verify/ upwards (/n/verify/ at the time of writing). Once the letter has cycled onto the next, any attempt to access the phishing page will be met with a standard  '404 - Page not found' error.

Should you fill in your account credentials, they'll be snaffled by those behind this nefarious scheme and you'll be presented with a fake '404' page not found error before being whisked back to the official Twitter Web site as if nothing happened:

As well as the URL above, we're also seeing other variations on the same Twitter typo theme including iftwtter(.)com (ACEInsight Report) and iwltter(.)com (ACEInsight Report).

Reassuringly, Bitly are flagging many of the shortened URLs as ‘potentially problematic’ although it is likely that for every one flagged another is sure to emerge.

Whilst Websense customers are protected from phishing and other threats by ACE, our Advanced Classification Engine, please do ensure that you check your personal accounts as well as sharing some basic security tips with your friends and family!

We’ve previously blogged about Olympic ticket scams, phishing, malware designed to propagate through social networking, and other Olympic security concerns. 

We also know that hackers take advantage of people searching for breaking news and trending topics about the Olympics through various SEO poisoning techniques. When Georgian luger Nodar Kumaritashvilii died in a tragic training accident just before the Vancouver Olympics in 2010, multiple malware pages quickly appeared in the top search results. Clicking these links led to pages that included pop-up warnings telling the user to click a button to view a video or to clean up computer problems. Of course, clicking led to malware attacks.

SEO poisoning remains a problem, but Google seems to have a better handle on it where searches related to the London Olympics are concerned, at least in English. When we started using Russian search terms, however, things deteriorated quickly. Using the Russian translation for "watch 2012 Olympics online", we did a Google search and clicked on the second item:

While the domain itself is correctly categorized as sports, it's clear some objectionable content is popping up in the ads:

In addition, clicking on the page redirects to various questionable places, including information on how to control men:

In another investigation, Websense® researchers analyzed Twitter traffic based on popular Olympics-related terms, events, and athletes starting two days before the Opening Ceremony through August 8th. Not surprisingly, traffic peaked on the day the Games opened, and three days later when Olympians Tom Daley, Michael Phelps, Ruta Meilutyte, and Maria Sharapova topped the Google trends.

Looking more closely at the data, we found that a handful of Twitter feeds from certain athletes and teams were posting shortened URLs which redirected to Objectionable or Security categories, including Malicious Web Sites and Malicious Embedded Link:

We took a sample set of 3600 of these, unshortened them, and analyzed the category breakdown:

Websense customers are protected from these threats by our Advanced Classification Engine™ (ACE). 

There have been reports from several sources that Twitter is fast approaching the milestone of 500 million users.  We take a look at what this could mean for us all and take a reflective look back on some of the issues that Twitter users have faced over the years.

What does that figure mean to us?

• This number of Twitter users is 60% more than the population of the United States of America (according to the U.S. Census Bureau).
• That figure is 8 times the population of the United Kingdom.
• The approximate human population of Earth in 1550 AD was 500 million.

Of course, not all Twitter users are who they claim to be.

You are probably familiar with seeing a picture of an attractive individual gracing your follower list and then realizing that the follower is just trying to pass off suspect medication. The abuse of Twitter by spammers and bot networks is nothing new and something we have seen in Websense® Security Labs™ for several years now. Over the past few years, we have seen bot networks take their instruction from generated Twitter users. We have also seen website compromises on a massive scale using Twitter trending topics to generate the malicious domain they contact next.

Malware authors and spammers jump on social networks in the hope that they can quickly spread their wares: 500 million users, 200 million users, even 100 million users provide the scale and network connectivity to do exactly this.

Here are some of the not-so-high Twitter highlights of the last 5 years:

Is there any hope?

Behind every cloud is a silver lining and Twitter is no exception.  Our Websense Social Web Controls as well as our ThreatSeeker® Network can help to limit the exposure from threats on social networks. You can find out more on www.websense.com

From bread bakers to candlestick makers, from celebrities to pharmacists, 500 million users/spammers/bots have turned to Twitter to share their lives and engage in 140-character exchanges with others. Have you?

Regards,

https://twitter.com/websenselabs

Websense Security Labs™ has found that thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter.

We conducted research on how data that might be considered private is exposed via Twitter. The research focused on shared data, in particular email addresses, that can potentially be used against the one (or the organization) that shared it. During the research we monitored Twitter over a 24 hour period and found that users were publicly sharing email addresses connected with their inboxes, social media identities, and bank accounts. This leaves them open to advanced ‘social spear phishing’ attacks and spam campaigns.

Social spear phishing sees criminals attacking harvested email addresses with information gleaned from monitoring users’ Twitter conversations.  It's recommended that businesses update all acceptable use policies to warn employees of this risk.

Our research found that thousands of Email addresses are publicly shared daily via Twitter:

* More than 11,000 email addresses were shared worldwide

[Research data was collected over a 24-hour period in January 2012]

Gmail, Hotmail and many other free web-based email services are particularly under threat as cyber criminals can harvest social information on individuals via Twitter to break into these accounts.

We realise that sometimes you need to share your email address. Here are some security tips on how to best avoid your shared data potentially being used against you:

• Use direct messages (DMs) for sending email addresses to contacts on Twitter

• Treat emails from friends linking you to other sites with caution

• Never use passwords that can be inferred from publicly accessible information

• Since email is an often used route into a company by cybercriminals, ensure your email security has superior malware protection against modern threats  

Websense® ThreatSeeker® Network has detected fraudulent Web sites that have made it to the global top 250 high Alexa ranking list. These are amazing results for fraudulent Web sites, as some of them rank even better than genuine big name portals. In this campaign, the fraudulent sites pretend to be from YouTube, and they try to lure you in by saying you have been selected to complete a survey for a chance to win a gift such as an iPhone 4S. Survey scams were very common in the past year, and were usually spread within social networks like Facebook or Twitter. They often used hot topics to lure visitors. We have already blogged about these incidents, and customers are encouraged to educate themselves about these attacks so they do not to fall for this kind of technique. Here is the snapshot of the current campaign:

An interesting thing we found is that survey campaigns that spread in social networks are usually localized by area or language. This means that traffic for spam sites used in campaigns are limited to related countries or regions. However, video rewards survey campaigns can spread globally as they have a high Alexa rank almost in every country, and they have no language barrier. Additionally, the spam site server checks the IP addresses of visitors and shows the location information on the page to appear more authentic. One of the spam sites used in this campaign is video-rewardz.com, which at its peak, reached Alexa’s top 250 list. The spam site has a high Alexa rank dating from Dec 19th 2011. The spam site is still available now and has a lot of traffic.

How is it possible for spam sites to have so much traffic? After conducting some research, we found that the major source is from mistyping of the twitter.com Web site.  This type of attack is called typosquatting, and it is not new. We have blogged about this in the past; yet this campaign is popular because attackers get good results from this campaign. The attacker needs to register several typosquatting sites for Twitter and redirect the typosquat site to another site such as video-rewardz.com. This explains why it is global spam campaign, and why it can generate so much traffic. Twitter is very popular site and it’s easy for people to mistype this URL. 

To prevent such attacks, some big names like Google or Facebook have registered some names that can be easily mistyped for their portal. However, Twitter has not done this and this makes them susceptible to such attacks, causing them to have an extremely high Alexa rank spam sites.

Listed below are typosquatting sites registered by attackers:

• ttwitter.com
• twwitter.com
• twiitter.com
• twittter.com
• twitterr.com
• twutter.com
• twiter.com

Additionally, we also found other spam sites related to this campaign. Some of them have already been used in the campaign and have a high Alexa rank, whilst others may potentially be used in future.

• videorewardcentral.com
• videorewardsonline.com
• socialupdatepanel.com
• videorewardstoday.com
• videorewardsnow.com
• giveaway-winner.com
• videorewardspace.com
• video-reward.com
• videorewardspot.com
• video-rewardz.com

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

The Twitter account of famous singer Lady Gaga has apparently been hacked. It's being used by attackers to lure her more than 17 million followers to click on a link:

After a number of redirects, the link ultimately leads to a survey scam that is designed to harvest personal information:

The first link uses the URL shortener bit.ly, which has suspended the link as "being potentially problematic." Although this should keep most users away from the scam for now, the attackers are likely to post new tweets that include phishing or malicious URLs as long as they have control of the account. The Twitter community has responded by sharing the fact that Lady Gaga's account shouldn't be trusted. This led to #stophackinggaga as a trending Twitter topic at the time this post was written. As always, be careful of links you click on Twitter, even when they appear to come from trusted accounts.

Customers who are using Websense security products are protected from this spam campaign through our ACE technology and TRITON™ solutions.

If you are seeing tweets right now from Twitter users, you may be misled into thinking that U.S. news organization CNN has revealed that Osama bin Laden is alive.

The tweets lead to a phishing page.  Websense customers are protected from this scam by ACE, our Advanced Classification Engine.

Tweets are being posted by users right now at the rate of several hundred tweets per second and include:

   omgg osama is alive!!! cnn confirmed that he's still out there :((

   I cant BELIEVE osama is still alive - CNN confirmed he around stillll :O

   OMG CNN confirmed that they found Osama alive still ! ! !

Tweets lead to a bit.ly redirector that takes the user to a convincing phish page designed to harvest the user's Twitter account credentials.

Screenshot of the phish page:

A user who enters credentials is then taken to a YouTube video related to the topic of the scam, a CNN video discussing the news "'Osama is alive' say protestors."

The redirection chain is thus: hxxp://bit.ly/m[removed]Y -> hxxp://twitter.[removed].ru/relogin.php -> hxxp://www.youtube.com/watch?v=Ga[removed]Mg

Twitter trend-tracking service Trendistic recorded this scam as being 1% of the volume of all tweets some 8 hours ago.  The current rate of tweets is around 200 per minute, so the phishing page could be successfully harvesting Twitter account credentials and then tweeting on their behalf, thereby spreading the phishing links.

When Osama bin Laden's death was announced, we saw Facebook status updates offering a video of the events.  Malware authors often use news events to entice and trick users into performing actions such as following website links.

Websense Security Labs advises Twitter users who believe they may have fallen for this scam to change their passwords immediately and to check their Twitter feeds for postings related to this scam topic.

As of this morning we have been monitoring a flaw on twitter.com that delivers pop-ups to Twitter users when they move their mouse cursor over a specially crafted tweet.  There is also the potential to deliver status updates when mousing over a tweet and altering the display of the Twitter status on user's profile pages.

The affected tweets contain JavaScript that runs the OnMouseOver event (this event enables the code specified in the Tweet to run without requiring the user to click).

This morning we saw Proof Of Concepts of the Twitter command being posted by Twitter users and then began to see end users tweeting the code virally.  There is the potential for malware authors to spread malicious tweets using the flaw to direct users to other Web sites.

As of writing, hundreds of new tweets per second are being published on twitter.com using the OnMouseOver flaw.  Twitter users whose accounts have been affected by the flaw include journalists and high-profile celebrities.

Examples of compromised accounts:

Our advice is to use an alternative to the twitter.com Web site if you need to update your Twitter status.

UPDATE

As of 3pm UK time Twitter Safety is reporting that the XSS flaw is no longer exploitable.

Is it just me, or spam on Twitter has been growing exponentially recently? I've always been getting the occasional good-looking-not-very-dressed new follower notification by email, but recently, I've been receiving @ messages like this:

What is your experience with this? What kind of spam are you seeing on Twitter? Is there anything Defensio could do to make your life better on Twitter?