Twacked

Yesterday I was the victim of a cyber attack, which sucked.

But it also meant I got to watch science happening in real time.

First of all, cyber-security is a big topic of discussion here at Northeastern. I blogged about it last week after speaking with Professors Engin Kirda and William Roberston about their DARPA grant to develop protective strategies for mobile phones.

And then yesterday I met with Alessandro Vespignani to talk network science in the context of Twitter. A recent paper from his lab showed that the very structure of the Twitter social network has a lot to do with why some Tweets go viral at the expense of others.

After I stupidly put my password into a fake Twitter website (I swear it looked exactly the same as the real thing), I watched the bot spread like wildfire in an Aspen grove across my network…which luckily isn’t that big yet 😉

It wasn’t actually a viral event per se — it was just my account direct messaging a bunch of followers and followees with the same link I clicked on originally. In some cases, people that got DMed also succumbed to the “Twack” (a term I woke up with in my head at 3am this morning, but which was in fact coined long before I signed up for Twitter). These sorry folks spread the bad link throughout their networks and so on and so on.

It’s easy to see, then, why someone malicious would want to attack a twitter account — hit one person, hit a thousand.

UPDATE: I asked Wil Robertson for some more info and advice about this kind of problem. Here’s what he had to say:

iNS: What is phishing and how does it work?

WR: Phishing is any attack where the attacker poses as a trusted authority.  Typically, users are more likely to divulge information to someone or something they trust, and so this is a powerful attack that doesn’t have many good solutions.  The quintessential example is a spam email that appears to come from your bank, which asks you to enter your bank account information to satisfy some request or problem.  Others include email account reset spams, or copies of websites as in the case you experienced.

iNS: What do Twitter attackers do with the Phished info once they’ve got it – what is the motivation here?

WR: A couple of things.  One possibility is to spam the followers of the account with malicious tweets.  These tweets will contain links to things like phishing sites, or sites that perform drive-by download attacks where the victim’s browser is exploited and direct access to their laptop or computer is gained.

They can also use the information contained in the compromised twitter account to do things like set up cloned accounts that are useful for further attacks.  Or, they can use the information in the compromised account and that gained during the phishing attack to try to attack associated accounts (like gmail accounts, yahoo accounts, ebay accounts, etc.) since many people use the same or a small set of passwords everywhere.

Another thing that they can do is to have the compromised twitter account follow another account.  Since follower count is a measure of importance and reputation on twitter, this can raise the profile of a malicious account.  The attacker can also “sell followers” to other unsuspecting twitter users; this is one way to directly monetize compromised twitter accounts.

iNS: Is there any advantage to using Twitter over email for this kind of activity? How are the two different?

Yes, there is.  This kind of attack is an example of the more general social spam problem.  Spam is most commonly associated with email, but people have become somewhat inured to it, they know (generally) how to recognize it, the defenses are better (although not perfect), and it’s just less profitable these days (although there are exceptions).

But, people still put a relatively large degree of trust into social network relationships, whether they are twitter followers or followed accounts, or facebook friend relationships.  If a facebook friend gives you a link to check out, people are much more likely to click on that link without looking at it too closely in comparison to when that link comes from an unknown email sender.

iNS: How can people protect themselves from these kinds of attacks?

WR: For phishing, it’s important to pay attention to the URL of the site that you’re connecting to.  If you’re interacting with what looks like BofA, but the URL isn’t bankofamerica.com, then something is probably wrong. Especially in cases where you’re entering authentication credentials or financial information, you want to check that your browser is using TLS/SSL to connect to the site.  This gives you two things:

  1. Your data is encrypted in transit.  This means that anyone sitting between you and the website shouldn’t be able to intercept your data.
  2. You have a high likelihood of interacting with the legitimate site.  This is because a trusted third party (known as a certificate authority or CA) has cryptographically asserted that the particular site you’re visiting is legitimate, and the browser can cryptographically verify this claim.  “Cryptographically” here basically boils down to meaning that it would be very very hard (computationally infeasible in technical parlance) for the attacker to forge or bypass this verification step.That isn’t to say that TLS/SSL isn’t bypassable; there are ways to attack the end-to-end process.  But, it’s much better than the case where it isn’t in use.

I would also add that for the case when someone you “know” sends you a link on facebook or twitter, it still pays to do a sanity check on that link. Does it look benign?  Often malicious links don’t pass the smell test.

iNS: What should one do after one has been attacked?

WR: Well, there’s a checklist of things to do.  This includes:

  1. Changing your passwords for the account that’s been compromised.
  2. Changing your passwords for other accounts where you’ve used the same (or similar) password.
  3. Checking the accounts for backdoors.  For instance, has another backup email address been added to the account that you don’t recognize?  (These are the accounts where the site sends password reset requests to.)
  4. If there’s any suspicion whatsoever that your local machine has been attacked directly — e.g., by a drive-by download — you need to, at the minimum, check it with a reputable antivirus scanner.  Personally, if it came to that, I would reinstall, but that’s probably more than most would want to do before they had checked it with an AV suite.