Twacked

Yes­terday I was the victim of a cyber attack, which sucked.

But it also meant I got to watch sci­ence hap­pening in real time.

First of all, cyber-​​security is a big topic of dis­cus­sion here at North­eastern. I blogged about it last week after speaking with Pro­fes­sors Engin Kirda and William Rober­ston about their DARPA grant to develop pro­tec­tive strate­gies for mobile phones.

And then yes­terday I met with Alessandro Vespig­nani to talk net­work sci­ence in the con­text of Twitter. A recent paper from his lab showed that the very struc­ture of the Twitter social net­work has a lot to do with why some Tweets go viral at the expense of others.

After I stu­pidly put my pass­word into a fake Twitter web­site (I swear it looked exactly the same as the real thing), I watched the bot spread like wild­fire in an Aspen grove across my network…which luckily isn’t that big yet ;)

It wasn’t actu­ally a viral event per se — it was just my account direct mes­saging a bunch of fol­lowers and fol­lowees with the same link I clicked on orig­i­nally. In some cases, people that got DMed also suc­cumbed to the “Twack” (a term I woke up with in my head at 3am this morning, but which was in fact coined long before I signed up for Twitter). These sorry folks spread the bad link throughout their net­works and so on and so on.

It’s easy to see, then, why someone mali­cious would want to attack a twitter account — hit one person, hit a thousand.

UPDATE: I asked Wil Robertson for some more info and advice about this kind of problem. Here’s what he had to say:

iNS: What is phishing and how does it work?

WR: Phishing is any attack where the attacker poses as a trusted authority.  Typically, users are more likely to divulge infor­ma­tion to someone or some­thing they trust, and so this is a pow­erful attack that doesn’t have many good solutions.  The quin­tes­sen­tial example is a spam email that appears to come from your bank, which asks you to enter your bank account infor­ma­tion to sat­isfy some request or problem.  Others include email account reset spams, or copies of web­sites as in the case you experienced.

iNS: What do Twitter attackers do with the Phished info once they’ve got it – what is the moti­va­tion here?

WR: A couple of things.  One pos­si­bility is to spam the fol­lowers of the account with mali­cious tweets.  These tweets will con­tain links to things like phishing sites, or sites that per­form drive-​​by down­load attacks where the victim’s browser is exploited and direct access to their laptop or com­puter is gained.

They can also use the infor­ma­tion con­tained in the com­pro­mised twitter account to do things like set up cloned accounts that are useful for fur­ther attacks.  Or, they can use the infor­ma­tion in the com­pro­mised account and that gained during the phishing attack to try to attack asso­ci­ated accounts (like gmail accounts, yahoo accounts, ebay accounts, etc.) since many people use the same or a small set of pass­words everywhere.

Another thing that they can do is to have the com­pro­mised twitter account follow another account.  Since fol­lower count is a mea­sure of impor­tance and rep­u­ta­tion on twitter, this can raise the pro­file of a mali­cious account.  The attacker can also “sell fol­lowers” to other unsus­pecting twitter users; this is one way to directly mon­e­tize com­pro­mised twitter accounts.

iNS: Is there any advan­tage to using Twitter over email for this kind of activity? How are the two different?

Yes, there is.  This kind of attack is an example of the more gen­eral social spam problem.  Spam is most com­monly asso­ci­ated with email, but people have become some­what inured to it, they know (gen­er­ally) how to rec­og­nize it, the defenses are better (although not per­fect), and it’s just less prof­itable these days (although there are exceptions).

But, people still put a rel­a­tively large degree of trust into social net­work rela­tion­ships, whether they are twitter fol­lowers or fol­lowed accounts, or face­book friend relationships.  If a face­book friend gives you a link to check out, people are much more likely to click on that link without looking at it too closely in com­par­ison to when that link comes from an unknown email sender.

iNS: How can people pro­tect them­selves from these kinds of attacks?

WR: For phishing, it’s impor­tant to pay atten­tion to the URL of the site that you’re con­necting to.  If you’re inter­acting with what looks like BofA, but the URL isn’t banko​famerica​.com, then some­thing is prob­ably wrong. Espe­cially in cases where you’re entering authen­ti­ca­tion cre­den­tials or finan­cial infor­ma­tion, you want to check that your browser is using TLS/​SSL to con­nect to the site.  This gives you two things:

  1. Your data is encrypted in transit.  This means that anyone sitting between you and the website shouldn't be able to intercept your data.
  2. You have a high likelihood of interacting with the legitimate site.  This is because a trusted third party (known as a certificate authority or CA) has cryptographically asserted that the particular site you're visiting is legitimate, and the browser can cryptographically verify this claim.  "Cryptographically" here basically boils down to meaning that it would be very very hard (computationally infeasible in technical parlance) for the attacker to forge or bypass this verification step.That isn't to say that TLS/SSL isn't bypassable; there are ways to attack the end-to-end process.  But, it's much better than the case where it isn't in use.

I would also add that for the case when someone you “know” sends you a link on face­book or twitter, it still pays to do a sanity check on that link. Does it look benign?  Often mali­cious links don’t pass the smell test.

iNS: What should one do after one has been attacked?

WR: Well, there’s a check­list of things to do.  This includes:

  1. Changing your passwords for the account that's been compromised.
  2. Changing your passwords for other accounts where you've used the same (or similar) password.
  3. Checking the accounts for backdoors.  For instance, has another backup email address been added to the account that you don't recognize?  (These are the accounts where the site sends password reset requests to.)
  4. If there's any suspicion whatsoever that your local machine has been attacked directly -- e.g., by a drive-by download -- you need to, at the minimum, check it with a reputable antivirus scanner.  Personally, if it came to that, I would reinstall, but that's probably more than most would want to do before they had checked it with an AV suite.