Twitter is a popular way for millions of people to connect online. It is also a popular way for attackers to spread malicious content.
In a new paper, researchers at Trend Micro revealed the results of analyzing more than a half a billion tweets. The company found that millions of the messages linked to material ranging from phishing pages to malware.
“We ended up gathering more than 570 million Tweets in total,” blogged Jon Oliver, senior architect at Trend Micro. “Of these, we identified that more than 33 million – 5.8% of the total – had links to malicious content of some kind of another. Malicious content does not necessarily mean only malware: it can also mean links to spammed advertisements and phishing pages, among other threats. The data collection period was during a period when there was significant spam outbreak.”
Trend Micro identified several types of abuse on Twitter, including spam, phishing, links to malware and accounts beings stolen and suspended.
“There are two distinct flavors of spam – traditional spam that uses hash tags, is very obvious, repetitive, and quickly gets shut down,” blogged Oliver. “The second type is what we call “searchable spam”. Searchable spammed tweets are completely different.”
Those tweets, he explained, are more like classified ads – they typically promote pirated or fake products such as software or free movies. Unlike other tweets, they do not make heavy use of hashtags.
“There is a strong Eastern European connection with these tweets as well: many are written in Russian, or hosted on servers in Russia or Ukraine,” he noted. “This threat is much more low-profile than other attacks, and it shows: the probability of Twitter suspending accounts involved in this activity is lower than accounts involved in other malicious activities. All this is designed to avoid users reporting these tweets (and accounts).”
“In addition, half of the traffic to the sites advertised in these tweets [doesn’t] actually come from Russia,” he added. “The users finding these tweets really are interested in what they “need”, even if they need automated translation tools to understand them.”
“Twitter accounts themselves are valuable targets for cybercriminals,” he added. “As a result, various scams that try to get the user credentials of users are common as well. For example, compromised accounts will mention their friends in tweets (or send direct messages), that ask the user to click on a (shortened) URL. This link will eventually lead users to phishing pages that ask for the user’s Twitter account credentials.”
The full paper can be read here.