back to article Hackers unleash smart Twitter phishing tool that snags two in three users

Twitter scammers have a new weapon with the release of an effective spear phishing tool that lands a victim almost two thirds of the time, dwarfing the usual five-to-fifteen-per-cent-open-rate for spam tweets. The SNAP_R machine learning spear phishing Twitter bot is a data-driven menace unleashed at the Black Hat security …

Silver badge

Okay

Ok, so it generates hits on the obfuscated URL. Does that constitute "landing a victim", though?

3
0
Silver badge

Re: Okay

Quite. I'd say the victim is only a victim if the content of the page they've visited actually compromises them - just going to the page might not achieve that, depending on what the user is running.

1
0
Anonymous Coward

Must be a normie thing

Twitter is absolutely inexplicable to me. I'm as confused as most normalfags seeing /b/ for the first time.

2
3
Anonymous Coward

Re: Must be a normie thing

Let me try an analogy.

It's Monday morning and a colleague says to you "On Sunday I watched a great film."

If you think the colleague has good taste in films, would you

A) Ask "What's the name of the film?" and request that they not tell you anything about it because you're going to watch it, OR

B) Ask them to give you a detailed summary of the plot and critical review?

The _concept_ behind Twitter was actually great.:

a) nobody can contact you unless you specifically allow them to contact you

b) messages must be short

That structure makes it easy to ignore people and means that you can quite quickly scan and pick out interesting/relevant info and links.

The only problem is that the concept can't make money, so you get adverts/spam.

0
0
Anonymous Coward

This ought to be a standard

This is not a new risk, which is why I do not accept shortened URLs from anyone but those who I know to not pass on 3rd party ones. There are some schemes that allow you to see the full URL beforehand, but they're rare, and I can see from a full URL if there's data in there that I do not want to trigger.

Even a "benign" URL from, say, the Guardian quite often contains extra tracking data that you can strip off, but you won't see that in a shortened version.

I partially blame this on not clamping down on domain name hoarders so we end up with http://theridiculouslongdomainnamesbecausetheshorteronesarehoarded.com which promotes the use of shorteners to keep the Net usable.

7
1
Anonymous Coward

Re: This ought to be a standard

This is not a new risk, which is why I do not accept shortened URLs from anyone but those who I know to not pass on 3rd party ones.

The problem here is trusting any url, especially one presented to you in an app. The reason CLICK HERE is used so often is that social engineering works for every none, not just evil hackers.

There are manifold further problems with URLs: If I sent you a link to example.com/thisisreallysafe/ how do you know I am not going to use a dynamic rewrite to send you to example.com/thisisreallybadshiz ? Do you mitigate this by only going to links on sites you already know and trust the TLD?

Millions of people click on links to new sites and services every day. Few are as obvious as example.com/exploitkitpage.

0
0
Silver badge

Re: This ought to be a standard

@AC - The problem is everyone will click on a link about something from a "trusted" source but only a very small number need to be malicious to bad guys to nail enough users. It is realistically impossible to be able to vet every link in tweets, emails, posts, etc.

0
0
Silver badge
Stop

Hmmm

Since when did 'between 30-60%' constitute nearly two thirds?

Have I stumbled onto the Daily Mail in error?

2
1
Anonymous Coward

Re: Hmmm

Since when did 'between 30-60%' constitute nearly two thirds?

Two thirds is 67% rounded up, so 60% is "near-ish".

Have I stumbled onto the Daily Mail in error?

The article contained words with more than two syllables and its headline wasn't all in capitals, no so :).

Besides, they would have considered two thirds "the whole world".

1
1
Anonymous Coward

Re: Hmmm

El reg is just like the Daily mail, except instead of dodgy semi-nude celebrities we get Alistair Dabbs.

7
1
Silver badge
Coat

Re: Hmmm

When you put it like that, I wonder if the Daily Mail might be a preferable read.

Oh, hang on, no, the operative word there is "read" ;)

3
0
Anonymous Coward

Re: Hmmm

"El reg is just like the Daily mail, except instead of dodgy semi-nude celebrities we get Alistair Dabbs."

The IT equivalent of Alan Partridge.

2
0
Silver badge

Re: Hmmm

@AC

Yes I get that 60% is near 67% which is two thrirds (if you ignore the 10% variation of course, but what's that amongst friends) except the article stated the values as between 30-60%; take a median and you're at 45%, so less than half.

It just seems to me to be a bit of a stretch to claim two thirds from the values on offer. Try making asumptions like that in an acadmeic piece and see where it gets you

1
0
Silver badge

Re: Hmmm

He only did it once around the office and that was for charity? For the pics visit https://fake.url/naked

:D

3
0
Silver badge

Responsibility to train users

It wouldn't be too much to ask for these major media players to train their users a bit would it?

For example, a PR campaign that uses phishing techniques to push people to a web page that tells them that they "have just been landed, their PC could have been compromised, and oh, by the way, that link you clicked without thinking about it was what go you into hot water"

plus

"Here are a few tips on staying safer"

I know it would be a drop in the ocean, but every little bit helps. The more people do it, the more it seeps into the general mindset of the population that being careful online is as important as not leaving your wallet on a bus seat.

3
0

Re: Responsibility to train users

Here's your training in a nutshell:

Just. Don't. Click. On. Dodgy. ShortURLs. People.

URL's can be difficult for the average person to parse, but at least a full URL can be semi-reliably vetted by the domain. ShortURLs could lead anywhere.

3
0
Bronze badge
Happy

"Publication of the tool is made in the name of awareness, the pair say, as is much offensive security research"

Why is the security research offensive?

1
0
Windows

I think it might be a definition.

"Offensive security research, even among white-hat hackers, has helped the community to 'think like attackers' and enhance defensive technologies. However, this research comes at a significant cost and there are new arguments emerging that the work of the benevolent security research community is driving down the cost and complexities of attacks against computer networks.

There is a growing sentiment that the intellectual pursuit of exploiting software vulnerabilities and defeating mitigations is simply providing a roadmap for the bad guys to break into computer systems. " - Virus Bulletin.com

Sorry if I am being too literal. Feeling a wee bit Vulcan today.

1
0

Puzzled

I'm reading, Tweeting and re-Tweeting about the TransContinental race that's currently going on.

Given that this tool will likely created a reasonably-relevant Tweet which presumably would send me to a compromised page how the hell am I supposed to protect myself against this?

0
0
Anonymous Coward

Re: Puzzled

"how the hell am I supposed to protect myself against this?"

Don't click on short URLs, ever.

Don't use Twitter.

10
1

Re: Puzzled

Or install a proper extension. In case of firefox for instance:

https://addons.mozilla.org/en-US/firefox/addon/long-url-please/

3
0

Re: Puzzled

Given that this tool will likely created a reasonably-relevant Tweet which presumably would send me to a compromised page how the hell am I supposed to protect myself against this?

Harden your device - patch, control permissions, lock down apps, go via a proxy/firewall and have an up to date, working, AV.

Dont focus on the short URL threat otherwise you'll just as easily get pwnd by a flash based advert hosted by Yahoo on a legitimate website.

Short URLs are a PR gambit to talk about hacking threats - they arent significantly worse than clicking on any URL to a website you dont know, even sites you do know can have compromised pages.

1
1
Silver badge

There can be a simple fix

Twitter can intercept all hyperlinks and provide a warning page with the resolved shortlink. Something along the lines of "You are now leaving Twitter and being redirected to <<full hyperlink here>>." If the shortlink is from a source that will not let Twitter resolves it, provide an additional warning: "We could not resolve the shortlink to the full hyperlink. Scammers and malware creators often used dodgy shortlinks. Proceed at your own risk."

It would need to be better worded, but you get the idea.

12
0

Short URLs

I have never clicked on a short URL. They always look suspcious to me.

Meh.

0
0
Anonymous Coward

WTFO

Don't tweet.

Never will.

#ProudLuddite

4
2
Anonymous Coward

Re: WTFO

This problem is on more than twitter....

1
0
Silver badge
Happy

Que?

The real news is that someone thought a smart tool is required for snagging Twatter users!

2
2

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017