back to article Hackers unleash smart Twitter phishing tool that snags two in three users

Twitter scammers have a new weapon with the release of an effective spear phishing tool that lands a victim almost two thirds of the time, dwarfing the usual five-to-fifteen-per-cent-open-rate for spam tweets. The SNAP_R machine learning spear phishing Twitter bot is a data-driven menace unleashed at the Black Hat security …

  1. Updraft102 Silver badge

    Okay

    Ok, so it generates hits on the obfuscated URL. Does that constitute "landing a victim", though?

    1. VinceH Silver badge

      Re: Okay

      Quite. I'd say the victim is only a victim if the content of the page they've visited actually compromises them - just going to the page might not achieve that, depending on what the user is running.

  2. Anonymous Coward
    Anonymous Coward

    Must be a normie thing

    Twitter is absolutely inexplicable to me. I'm as confused as most normalfags seeing /b/ for the first time.

    1. Anonymous Coward
      Anonymous Coward

      Re: Must be a normie thing

      Let me try an analogy.

      It's Monday morning and a colleague says to you "On Sunday I watched a great film."

      If you think the colleague has good taste in films, would you

      A) Ask "What's the name of the film?" and request that they not tell you anything about it because you're going to watch it, OR

      B) Ask them to give you a detailed summary of the plot and critical review?

      The _concept_ behind Twitter was actually great.:

      a) nobody can contact you unless you specifically allow them to contact you

      b) messages must be short

      That structure makes it easy to ignore people and means that you can quite quickly scan and pick out interesting/relevant info and links.

      The only problem is that the concept can't make money, so you get adverts/spam.

  3. Anonymous Coward
    Anonymous Coward

    This ought to be a standard

    This is not a new risk, which is why I do not accept shortened URLs from anyone but those who I know to not pass on 3rd party ones. There are some schemes that allow you to see the full URL beforehand, but they're rare, and I can see from a full URL if there's data in there that I do not want to trigger.

    Even a "benign" URL from, say, the Guardian quite often contains extra tracking data that you can strip off, but you won't see that in a shortened version.

    I partially blame this on not clamping down on domain name hoarders so we end up with http://theridiculouslongdomainnamesbecausetheshorteronesarehoarded.com which promotes the use of shorteners to keep the Net usable.

    1. Anonymous Coward
      Anonymous Coward

      Re: This ought to be a standard

      This is not a new risk, which is why I do not accept shortened URLs from anyone but those who I know to not pass on 3rd party ones.

      The problem here is trusting any url, especially one presented to you in an app. The reason CLICK HERE is used so often is that social engineering works for every none, not just evil hackers.

      There are manifold further problems with URLs: If I sent you a link to example.com/thisisreallysafe/ how do you know I am not going to use a dynamic rewrite to send you to example.com/thisisreallybadshiz ? Do you mitigate this by only going to links on sites you already know and trust the TLD?

      Millions of people click on links to new sites and services every day. Few are as obvious as example.com/exploitkitpage.

      1. a_yank_lurker Silver badge

        Re: This ought to be a standard

        @AC - The problem is everyone will click on a link about something from a "trusted" source but only a very small number need to be malicious to bad guys to nail enough users. It is realistically impossible to be able to vet every link in tweets, emails, posts, etc.

  4. Dabooka Silver badge
    Stop

    Hmmm

    Since when did 'between 30-60%' constitute nearly two thirds?

    Have I stumbled onto the Daily Mail in error?

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmmm

      Since when did 'between 30-60%' constitute nearly two thirds?

      Two thirds is 67% rounded up, so 60% is "near-ish".

      Have I stumbled onto the Daily Mail in error?

      The article contained words with more than two syllables and its headline wasn't all in capitals, no so :).

      Besides, they would have considered two thirds "the whole world".

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmmm

        El reg is just like the Daily mail, except instead of dodgy semi-nude celebrities we get Alistair Dabbs.

        1. VinceH Silver badge
          Coat

          Re: Hmmm

          When you put it like that, I wonder if the Daily Mail might be a preferable read.

          Oh, hang on, no, the operative word there is "read" ;)

        2. Anonymous Coward
          Anonymous Coward

          Re: Hmmm

          "El reg is just like the Daily mail, except instead of dodgy semi-nude celebrities we get Alistair Dabbs."

          The IT equivalent of Alan Partridge.

        3. 2460 Something

          Re: Hmmm

          He only did it once around the office and that was for charity? For the pics visit https://fake.url/naked

          :D

      2. Dabooka Silver badge

        Re: Hmmm

        @AC

        Yes I get that 60% is near 67% which is two thrirds (if you ignore the 10% variation of course, but what's that amongst friends) except the article stated the values as between 30-60%; take a median and you're at 45%, so less than half.

        It just seems to me to be a bit of a stretch to claim two thirds from the values on offer. Try making asumptions like that in an acadmeic piece and see where it gets you

  5. Sir Runcible Spoon Silver badge

    Responsibility to train users

    It wouldn't be too much to ask for these major media players to train their users a bit would it?

    For example, a PR campaign that uses phishing techniques to push people to a web page that tells them that they "have just been landed, their PC could have been compromised, and oh, by the way, that link you clicked without thinking about it was what go you into hot water"

    plus

    "Here are a few tips on staying safer"

    I know it would be a drop in the ocean, but every little bit helps. The more people do it, the more it seeps into the general mindset of the population that being careful online is as important as not leaving your wallet on a bus seat.

    1. Vector

      Re: Responsibility to train users

      Here's your training in a nutshell:

      Just. Don't. Click. On. Dodgy. ShortURLs. People.

      URL's can be difficult for the average person to parse, but at least a full URL can be semi-reliably vetted by the domain. ShortURLs could lead anywhere.

  6. Captain Badmouth
    Happy

    "Publication of the tool is made in the name of awareness, the pair say, as is much offensive security research"

    Why is the security research offensive?

    1. Colin Ritchie
      Windows

      I think it might be a definition.

      "Offensive security research, even among white-hat hackers, has helped the community to 'think like attackers' and enhance defensive technologies. However, this research comes at a significant cost and there are new arguments emerging that the work of the benevolent security research community is driving down the cost and complexities of attacks against computer networks.

      There is a growing sentiment that the intellectual pursuit of exploiting software vulnerabilities and defeating mitigations is simply providing a roadmap for the bad guys to break into computer systems. " - Virus Bulletin.com

      Sorry if I am being too literal. Feeling a wee bit Vulcan today.

  7. Titus Aduxass

    Puzzled

    I'm reading, Tweeting and re-Tweeting about the TransContinental race that's currently going on.

    Given that this tool will likely created a reasonably-relevant Tweet which presumably would send me to a compromised page how the hell am I supposed to protect myself against this?

    1. Anonymous Coward
      Anonymous Coward

      Re: Puzzled

      "how the hell am I supposed to protect myself against this?"

      Don't click on short URLs, ever.

      Don't use Twitter.

      1. Jos V

        Re: Puzzled

        Or install a proper extension. In case of firefox for instance:

        https://addons.mozilla.org/en-US/firefox/addon/long-url-please/

    2. PrivateCitizen

      Re: Puzzled

      Given that this tool will likely created a reasonably-relevant Tweet which presumably would send me to a compromised page how the hell am I supposed to protect myself against this?

      Harden your device - patch, control permissions, lock down apps, go via a proxy/firewall and have an up to date, working, AV.

      Dont focus on the short URL threat otherwise you'll just as easily get pwnd by a flash based advert hosted by Yahoo on a legitimate website.

      Short URLs are a PR gambit to talk about hacking threats - they arent significantly worse than clicking on any URL to a website you dont know, even sites you do know can have compromised pages.

  8. Wade Burchette

    There can be a simple fix

    Twitter can intercept all hyperlinks and provide a warning page with the resolved shortlink. Something along the lines of "You are now leaving Twitter and being redirected to <<full hyperlink here>>." If the shortlink is from a source that will not let Twitter resolves it, provide an additional warning: "We could not resolve the shortlink to the full hyperlink. Scammers and malware creators often used dodgy shortlinks. Proceed at your own risk."

    It would need to be better worded, but you get the idea.

  9. Custard Fridge

    Short URLs

    I have never clicked on a short URL. They always look suspcious to me.

    Meh.

  10. Anonymous Coward
    Anonymous Coward

    WTFO

    Don't tweet.

    Never will.

    #ProudLuddite

    1. Anonymous Coward
      Anonymous Coward

      Re: WTFO

      This problem is on more than twitter....

  11. Matt Bryant Silver badge
    Happy

    Que?

    The real news is that someone thought a smart tool is required for snagging Twatter users!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019