“Once users have connected to the Cash-Gordon campaign, they can start accruing “action points” for reading briefings about the issue, getting their friends involved, donating, or even for directly asking Charlie Whelan a question.”

However today it’s the Conservatives that have been left with red faces, after a web site configuration error (or maybe just a lack of planning) saw the site abused to the point of being taken offline.
 
The Cash Gordon website was set up to collect any message posted on Twitter that contained the hashtag #cashgordon and republish it in a live stream in a widget on the home page of Cash Gordon. 
 
Obviously this was duly noted and passed around. It was soon discovered that if you tweeted HTML or JavaScript instead of standard messages, this content would be interpreted and rendered by the visitor’s browser as legitimate part of the Cash Gordon site, allowing pranksters to redirect visitors to any site of the miscreant’s choosing.
 
The screen shot below shows the steady stream of tweets that ensured that visitors to the web site were constantly redirected to many different, sometimes salacious, destinations.
 

Tweets containing JavaScript and #cashgordon hashtag

MP David Wright tweets

“#ivenevervotedtory because you can put lipstick on a scum-sucking pig, but it’s still a scum-sucking pig.”

The tweet was joining in with the Twitter meme responding to the latest Tory poster campaign which features the tag line “I have never voted Tory before but…”. However the turn of phrase has hit a raw nerve among many Twitter users, prompting the MP to delete the offensive tweet and apologise.
  

TrippyPip talks to David Wright MP

MP David Wright tweets

Twitter Grader home page

  
UPDATE: You will see in the comments on this post an update from HubSpot with a link to their blog explaining the incident, I know a lot of folks don’t read the comments, so here it is in full.

“We are very sorry for the mistake. It is completely our fault. As your article mentions, we have contained the situation and stopped the malicious tweets.

We do want to make clear that by design, the HubSpot software applications are on different servers and systems from our free Grader.com tools. This attack did NOT affect the HubSpot software used by our 2,100 customers. Again, there is no impact on our paid product or paying customers.

We have posted an article on our company blog with more information:

http://www.hubspot.com/blog/bid/5594/One-Lesson-From-The-Twitter-Grader-Screw-up-OAuth-Rocks

- Mike Volpe
HubSpot (makers of Twitter Grader)”

…and that, ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot.

 
__________________________________________________________________________________________

In what looks like another compromise related to Twitter services, a large number of Twitter users who have granted access to their accounts to the web service Twitter.Grader.com have all begun tweeting a bizarre and unauthorised message.
 

Banner from hacked site

At about 6am GMT Twitter fell victim to a DNS hijacking attack by a group calling itself the “Iranian Cyber Army” (I wonder if they noticed the CIA irony)? The site was affected for the best part of an hour.

Full hacked page

The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says

“As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”

This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.

These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.

Twitter was not the only web site affected by thsi compromise, a quick search revealed one other site displaying the same content.

Google search result

When it comes to attacking high profile targets it can often be that the registrar is the chink in the security armour. In fact Zone-H, the defacement archive, has previously noted that registrars have been “one of the main aims of the past months“.

If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on and offline worlds.

How to Survive a Zombie Attack, by Acey Duecy

2009 has been a notable year for malware and malicious online activity for a number of reasons and several of them relate to what is known as botnets. A zombie, or a bot, is a PC infected by malware that brings it under the remote control of a criminal. Criminals run networks that can range from thousands to millions of infected machines and they use them to power most of the cybercrime we see today including spam, DDoS, scareware, phishing, and malicious or illegal website hosting. They have a finger in every cybercriminal pie.

In the first half of the year, the Conficker worm (also known as Downadup or Kido) stole all the headlines in the malware world. Eventually the Conficker botnet was seen to deliver standard cybercriminal payloads, such as spambots and Fake AV (or scareware), much to the disappointment of some of the more hysterical commentators. Just because the outbreak received so much coverage that died away just as rapidly, don’t be fooled into thinking this threat has gone away. The Conficker Working Group, an alliance of security vendors, researchers and other commercial organisations is currently showing around 6 million unique IP addresses as appearing to be infected with this malware.

An unrelated, but important trend in 2009 was the exponential increase in the abuse of social networking providers for malicious purposes. The enormous active user populations on sites like Facebook, Twitter and MySpace prove a very attractive lure to organised online crime and its attendant money-making, bot recruitment and Fake AV pushing scams. Facebook has been abused by rogue Apps, designed to fool users into clicking links that reward the creator through pay-per-click affiliate advertising networks. It has also been used to spread malware through many means; malicious links in wall posts and messages, malware designed specifically to hijack accounts and by external compromise of legitimate Facebook Apps. The Koobface family of malware (also a botnet) has evolved over the course of 2009; it was initially spread through malicious messages and wall posts with links to fake YouTube sites punting a supposed codec in order to view the video. The codec of course was nothing of the sort and led to infection and account hijacking. Koobface now though has evolved to the point where it is fully capable of creating its own fake Facebook profile pages, complete with confirmed Gmail address, photo and biographical data. These fake accounts then set about joining networks and sending friend requests again all in a completely automated fashion.

Here’s where it gets interesting, in addition to spamming and malware, web 2.0 sites have been abused in new and concerning ways over the course of 2009. Twitter and Google Reader have been used as the landing page in spam campaigns, to attempt to overcome URL filtering in email messages. In recent months Twitter, Facebook, Pastebin, Google Groups and a Google AppEngine have all been used as surrogate Command & Control servers for botnets, and just last week it was reported that a Zeus botnet was leveraging compromised servers inside Amazon’s EC2 cloud for command and contro. These public forums have been configured to issue obfuscated commands to globally distributed botnets, these commands often contain further URLs which the bot then accesses to download commands or components.

The attraction with these sites and services lies in the fact that they offer a public, open, scalable, highly-available and relatively anonymous means of maintaining a command and control infrastructure, which at the same time further reduces the chance of detection by traditional technologies. Whilst network content inspection solutions could reasonably be expected to pick up on compromised endpoints that are communicating with known-bad sites (command & control servers), or over suspicious or unwanted channels such as IRC; it has been historically safe to assume that a PC making a standard HTTP GET request, over port 80 to a content provider such as Facebook, Google or Twitter, even several times every day, is as acting entirely normally. However, as botnet owners and criminal outfits seek to further dissipate their command and control infrastructure and blend into the general white noise of the internet, that is no longer the case.

It is no coincidence that much the innovation in 2009 has been around command & control systems for botnets. The vast majority of old-school IRC controlled botnets are shut down within 24 hours and peer-to-peer bots often leave visible signatures too, leading to their neutralisation at machine level. One factor of web 2.0 botnet controls that I would expect cybercriminals to be currently evaluating is the single point of failure represented by relying on a single provider such as Facebook or Google–shut down the malicious Facebook page and you disable the botnet. Botnet creators have invested significant amounts of time and code in distributing their management infrastructure, in fast-flux and in peer-to-peer protocols. We can fully expect them to carry these lessons learned into the newer “cloud-enabled” botnet. It is entirely possible that the capability of the latest Koobface variant to create multiple automated profiles could be leveraged to mitigate against the single point of failure inherent in using a single Facebook or Twitter profile as a covert channel.

When it comes to botnets it would be really nice to be able to say “it’s getting better”.  It’s not.  More and more computers are being infected, and they are staying infected for longer.

Page 1 of the Google search results for "Kanye West Death"

A rumour started this morning that Kanye West had been killed in a “bizarre car accident”, the origin of this rumour has apparently been traced back to the 4chan message boards (although that blog posting appears now to have been removed from Mashable). It didn’t take very long at all for this to be become the top trending topic on Twitter and also the top search on Google as worried fans searched for real confirmation.

It’s no surprise that in very short order we are already seeing poisoned search results being returned on page 1 of the results that could lead the unwary to trouble. Just because something didn’t happen, doesn’t mean it won’t be abused for criminal purposes, be careful where you click,

The message is designed to use the classic FUD factor (Fear, Uncertainty and Doubt) to drive the recipients of this Spam to go and check out the TwitAnonymous site (or its sister site TwitterAnonimo in Portuguese) to find out which of their darkest secrets have been unearthed by this anonymous correspondent.

Given that Twitter is a platform which is designed to allow anyone to message anyone, and does not require any verification of identity at all, even an email address, quite what is to be gained from using any “anonymous tweeting service” is pretty much beyond me. So let’s see if we can work out what the platform is really all about.

The first and most obvious revenue generators are the familiar Google Ads down the left hand side of the TwitAnonymous page, standard fare there and no real surprise but could there be a more sinister purpose behind the site?

What makes me think the site isn’t what it appears at face value? Well firstly it uses offensive and/or malevolent sounding Spam for self promotion. Secondly the site owners appear to have registered the Twitter user accounts twitanonymous2 through to twitanonymous30 for sending their indiscriminate Spam. Thirdly, accounts 20 to 30 have all already been suspended  by Twitter “due to strange activity“.

It isn’t a credential harvesting site, as it doesn’t request your username or password to send an anonymous message, which may lend it some more crebility to some eyes. It does though require that you complete a CAPTCHA in order to post messages. While it is of course possible that this could be to prevent abuse of the service, I would have to ask whether a site with such questionable practices is really bothered about abuse?

Could it be that the sole purpose behind this offensive Spam is to popularise a “service” designed to lure the unwary into cracking CAPTCHAs? After all, it wouldn’t be the first time, we saw similar recently on PayPal phishing, Koobface has also tried its hand at CAPTCHA cracking, and of course there is the (in)famous CAPTCHA strip tease.

So, whether this particular site is just an annoying “service” to facilitate things like stalking and cyber-bullying, or something more sinister remains to be seen. The fact remains though, a means of generating a large voluntary CAPTCHA cracking user base, without all that pesky distribution of malware or phishing mails must be a very attractive prospect for cybercriminals.

Twitter Home Page

If you use, or are thinking of joining the estimated 32 million people who are already using the micro-blogging service Twitter, then here are 5 security tips for you consider.

1.     Consider *everything* you post, at least three times, before you post it. There is currently no effective means of deleting or recalling public tweets.

2.     Never share personal information (email address, phone numbers, address etc), ever. Your tweets are public and are indexed by search engines and linked to you as an individual. Use the Direct Message funtion to share this stuff *if you really need to* and delete the Direct Message once it is no longer needed (in case your account is breached). Deleting sent Direct Messages also removes them from the recipients inbox but it will not remove it from a recipient’s 3rd party client application or mobile device if they have it linked.

3.     If using SMS on your mobile device to Tweet make sure of the context of your message, if you SMS respond to a private Direct Message, it will not be sent privately but as a public tweet.

4.     Use complex passwords, change them regularly, *never*use any service that requires you surrender your username and password. Only use 3rd party services that support Open Authentication (OAuth). If you do  use one of the many third-party services that hook into Twitter then make sure the login address on that third-party site, the that shows up in the web browser, is one that will keep your password safe. Look for http://twitter.com/oauth at the beginning of the address, and if it’s not there, don’t give up your details.

5.     Use a Twitter client, something like TweetDeck, or use a browser extension like LongURL.  These allow you to see the true destination of shortened URLs before you visit them. Shortened or obfuscated URLs are the prime method for distributed spam and malware over Twitter. If you’re not sure, don’t click. Check back with the sender if they meant to send it, you never know you could be doing them a favour, letting them know their account has been hijacked.

My final piece of advice… Use it! Twitter is fun, informative and engaging, you can follow me (if you can stand it) at http://www.twitter.com/rik_ferguson

The creation of the accounts actually predates Twitter’s clean-up operation in most cases, with the accounts having been registered on the 20th and 21st July in all the examples I looked at (I stopped looking quickly, the profiles got a bit repetitive to say the least). The domain in question, doiop.com is another of the URL shortening sites that are springing up in ever increasing quantities and it’s not the first time it has acted as an intermediary for infections.

The noteworthy social engineering elements of this attack revolve around the increasing sophistication of the automated tweeting. This time the scam accounts do not simply continuously post one of a selection of malicious tweets out to the twitter population at large, neither do they attempt to hook into currently trending topics to gain eyeballs. Both of those techniques are known and very visible to the Twitter admins, meaning the rogue accounts quickly get shut down.

Instead, they post messages directly to other Twitter users, ones that are not following them of course, in the hope that their randomly selected marks will be curious enough to click the malicious link. In an effort to make the fake accounts appear more legit, the malicious posts are widely interspersed with messages detailing which music the spambot is currently listening to, or other (legitimate) websites they are visiting. In many cases the non-malicious tweets outnumber the malicious ones on the page. A cursory glance at the fake profile may be enough for some to think it’s genuine.

The first redirection is to a URL on the domain {BLOCKED}.com. Interestingly, a quick squint at the root level of that domain reveals a single blog post advertising a “light Twitter bot that virtually anyone can use” (we detect this as HKTL_FAKEBOT). A second redirect happens from this domain to the malicious URL on clickbank.net, which has a colourful history of its own when it comes to being abused by online criminals.

The malicious payload of this attack is a rogue security application called “Registry Easy 5.1″. The program masquerades as a PC tune-up utility but gives extremely misleading results and needs a purchase before it’ll do any cleaning. We detect it as TROJ_FAKEAV.DAP. The domains involved  are also blocked by the Smart Protection Network.

We’ve all been drilled and drilled into not opening suspicious and unsolicited email attachments. Now, with 92% of malware being delivered via the internet it’s way past time to apply those same good habits to suspicious and unsolicited links, whether received by email, instant message, Twitter or any other medium.