Log in

No account? Create an account

Previous Entry | Next Entry

Large-scale hack attack against Twitter?

I woke up late this morning, had breakfast, made some tea, checked my Twitter feed (as one does), and in amongst all the pictures of cats, half-naked selfies, BDSM porn, and links to articles about neurophysiology and evolutionary biology that make up my Twitter feed, I noticed something very odd. About 15% of my Twitter followers were posting things that look like this:

And imagine my surprise when one of the accounts posting these types of messages belonged to me; namely, my Promiscuity Keepers Twitter feed, where I post links to articles about sex and sexuality.

So it appears there's a pretty large attack going on against Twitter right now. I am not sure if the attack is simply a brute-force hack against account passwords, or if the hackers have somehow penetrated Twitter itself and made off with lists off accounts and (hashed? hashed and salted? exposed?) passwords. Because of the suddenness and number of accounts compromised, my gut says it might be an attack on Twitter's servers directly, rather than a brute-force attack against individual accounts. (The password I use is, of course, a long string of letters and numbers, rather than, say, the word "password" or "secret" or the other hideously insecure passwords people often use.)

I logged in to my Twitter account (after some faffing with Twitter's "forgot my password" link) and discovered something interesting: The hackers are authorizing malicious Twitter apps with read/write access, presumably to mass-broadcast spam to many Twitter accounts at once.

Resetting a password on a hacked account without revoking access to these malicious apps will allow the hackers to retain control of the account. It's possible the hackers are using these malicious apps to gain control of the hacked accounts directly, by forging permission to allow the account to authorize the apps.

In any event, the Spamvertised links all point to a Web site hosted by a German Web hosting firm called plusserver.de. It's a Russian-language file-sharing site, and each of the Spamvertised links claims to be a driver package for some model of computer.

Naturally, I downloaded one of these files, then uploaded it to Virustotal for analysis. And, unsurprisingly, it's malware:

InstallMonster is a malware package designed to cheat online advertisers out of money for the virus writers. Whenever a user of an infected computer clicks on certain Web links, the malware changes the link in such a way as to make it seem like the click came from a revenue sharing, advertising, or affiliate marketing site, and the malware writer receives a small commission for the click.

The malware is sold openly from a Russian-language site called getfile.eu, hosted by a Web hosting outfit in Cyprus called hostzealot.com.

So to recap: Attackers are gaining access to large numbers of Twitter accounts and using them to spam malware. The malware is an off-the-shelf package designed to allow its users to profit from click fraud; the malware authors operate a site hosted on hostzealot.com. The compromised Twitter accounts have read/write access granted by malicious Twitter apps. They're being used to spread links to the InstallMonster malware, probably not from the malware's actual authors, but from people who've bought a copy of InstallMonster and customized it to direct money to them. (That's increasingly the way the malware industry works: people create turnkey malware kits which they then sell to other criminals.)

IF YOUR TWITTER ACCOUNT IS HACKED: It's not enough just to change your password! You must also go to your Apps control panel in your profile and revoke access to the malicious apps!


( 6 comments — Leave a comment )
Dec. 15th, 2013 09:07 am (UTC)
I just have to say I love the Hard Sci-Fi Movies tweet in the first screen shot.
Dec. 15th, 2013 01:32 pm (UTC)

We tried to contact you over Twitter, though you haven't got back to us so far.
Such issues have to be taken care of immediately. Please submit complaint to Abuse Department right away as well as attach a .ZIP archive of the file in question.

We'll perform investigation in the shortest possible terms.

Best regards,
Abuse Department
HostZealot Hosting
Dec. 17th, 2013 12:06 am (UTC)
My account was hacked like this yesterday, and thanks to this post I knew what to do.

Possibly interesting post script: Today I got an email from twitter saying, "This is a notice that your OAuth token for 11qsdbuiumct5 has been suspended from interacting with the Twitter API." So, this clearly ain't me. Is it possible the hack is getting into accounts first, and somehow auto-generating api keys on behalf of the hacked accounts to run the apps?
Dec. 17th, 2013 07:02 am (UTC)
A fascinating question. I also got one of those emails. Twitter appears to believe that I generated the OAuth token myself, which is...interesting.

There is something really, really weird going on here. I am not quite sure what. The simple explanation is that the hackers are gaining access to accounts (how?), creating OAuth tokens in the account holders' names (again, how?), ad using those tokens to attach the accounts to the malicious apps...but that doesn't feel right to me.

My gut tells me the accounts aren't being hacked; someone has instead figured out how to use OAuth to connect their app to my account without my knowledge or consent. But again, how? The worst-case solution is there's a critical flaw in OAuth, or Twitter's implementation thereof, that's been exploited.
Dec. 19th, 2013 09:52 am (UTC)
I was sent here via a mutual LJ friend because I posted yesterday about discovering that my Twitter account had been hacked exactly as you describe.

I managed to log in because they hadn't changed the password and, by chance, discovered that an app had been enabled. I revoked access and in fact I deactivated the account because I wasn't using it, which was partly why it had taken several days to realise there was a problem.

Having just re-activated it in order to see what was going on, the first tweet made by the hackers was on 14 December, the same date those apps were approved on your account.

I do not think I compromised the account myself. In recent months I haven't logged on from anywhere other than my home computer. The password was a random string of letters with a squiggly bracket in the middle like so {. It was therefore unguessable. So it was either brute forced or, as you suggest, they have somehow managed to find a back door to connect their app to people's accounts without their knowledge. My password hadn't been changed, just the suspicious app enabled. I also suspect it was somehow automated because who would bother manually hacking an account with 5 followers? :)
Dec. 19th, 2013 12:17 pm (UTC)
Here via heleninwales--thanks for this *very* useful and interesting post. I'll check for malicious apps, but part of what I'm fascinated by in your post is the explanation of the malware.
( 6 comments — Leave a comment )