Tuesday, May 26, 2009

Cashing-up on Twitter

An interesting exploitation of the popular micro-blogging service Twitter has been reported a few hours ago.

A bogus website - TwitterCut.com - has been set up to collect users' login details for Twitter. Once the website receives the login details from Twitter users, it apparently uses these details to authenticate them with Twitter and post messages (tweets) under the credentials of these users.

The message it posts contains the link to TwitterCut.com and reads: "OMG I just got over 1000 followers today from http://twittercut.com". Once this message is posted into Twitter under the credentials of the compromised user, all the followers of that user will automatically receive that tweet.

If the followers click the link contained in the tweet they receive, they'll be redirected to TwitterCut.com where they'll be suggested to enter their own login credentials, which in turn will generate more tweets. With every new user tricked, the tweet is submitted to more and more followers so that it expands exponentially in a similar way to a "chain letter" scam or a typical worm infection.

On top of that, every Twitter user who enters her login details at TwitterCut.com will also be unwillingly redirected into the websites serving adware, thus generating the revenue for the author of this worm with every unique visit. The advertising context can potentially be replaced with the sites serving malware, so it's clearly a security issue.

The scheme of this scam is illustrated below:

The replication seem to have started from a Twitter user JordanEmbry. The same person appear to have registered TwitterCut.com. Twitter has deactivated JordanEmbry account, but Google cache still reveals the profile and some recent tweets.

The biography field reads: "--!*FOLLOW ME*!-- as soon as I reach 20,000 followers Im opening a site you will love!". The profile shows that JordanEmbry had 250 Twitter users who have agreed to become the followers - all of them must have received the first-generation tweet to start up its replication.

Once these followers have received the first tweet and followed the bogus website to enter their details, their own followers should have received the same tweet, then the followers of the followers, and so on.

TwitterCut.com hosts a small script that traces the visits to the website. At this time of writing the online statistics shows that during the 4 days it exists TwitterCut.com has already attracted over 13,000 visits in the last 2 days.

If you did receive the scam tweet in your personal Twitter profile, it means that someone from the Twitter users who you follow has been tricked into entering the login details at TwitterCut.com. All these users can be seen by finding the scam tweet that was posted under their credentials.

The affected users are advised to change their Twitter account password immediately. Otherwise, the collected credentials can potentially be used many times again to send more impersonated tweets with the links to websites with more dangerous contents.