Evil Twitter… Finding malware amongst the maelstrom..
Would it surprise you to know that yesterday, more than 5000 tweets were posted with URLS which would have dropped you on sites which distribute malware?
It was only a small portion of the total number of tweets containing URLs, around 2.5 million or so, and there were an additional ~200,000 that went to sites about which McAfee was not too sure about the status (we are busy scanning them, as we do all sites which come to our attention where we don’t have a “reputation”). Still – there were 5000 tweets, guaranteed to get you in trouble.
You can guess perhaps, that for a while now McAfee, or rather my Innovation Team has been working on a project to generate some deep analytic evidence from the Twitter fire hose – We’re trying to answer the question “how do you apply the concept of reputation to a social media system?” Knowing how cyber-criminals use Twitter to entice people to visit their sites is just the first step in the process.
Our project lets us probe the the Twitter stream for malware related concepts – some interesting things you can see from the charts below for example, that there’s a pretty consistent trend of tweets containing URLs to malware which follow the general twitter tweet rate.
When you compare to the known good, and currently unflagged sites (a small portion of which may turn into bad sites over the next few days)
If this was not bad enough, the vast majority of the tweets are shortened links, either by twitters built in engine, t.co, or one of the hundreds of other link shortening engines like http://mcafe.ee and http://bit.ly.
Yes, you read that right – people try to propagate malware over Twitter, using McAfee’s GTI protected short link service – what are they thinking?
Looking at the average user experience, not only are they unaware that tweets may contain links to malware, but the links are “obscured” by short URL services, making it even easier for you to be tempted to…
“Click here to see pictures of cute puppies – http://mcaf.ee/09db36“
Digging a little deeper, It’s interesting to look at the domains these links are coming from – for example, in the last 24 hours looking at all tweets with URLS, and taking the top offenders of known bad URLS (ones guaranteed to get you in trouble)…
Curious don’t you think that there’s not one safe, suspicious or unknown tweet to these domains? That every single tweet in the last 24 hours containing a URL to these domains would have dropped you on a know malware site?
In a future blog, I hope to be able to tell you more about the engine we’re using to generate this data – it’s not as simple as it may seem on the surface (try absorbing hundreds of tweets a second and expanding all the URLS to work out the final destination, then working out the GTI reputation of that destination etc), but thought this result interesting enough to share.
Next for us, is looking at user behavior – we can already pick out known “bad actors” – accounts which only ever propagate malware, but we are thinking about the problem of users whose tweets are mostly good, with the occasional bad one – how do they fit into the equation?
And of course, on the horizon for 2012 are products using this data – would you like these bad tweets stripped out of your feed, or flagged in your Tweet reader? Would you like to have these known “bad users” and domains automatically ignored?
|Simon Hunt is the Chief Technology Officer for Intel Secure Home Gateways, and formally the CTO for McAfee's Enterprise Endpoint group. Simon has been designing, implementing and speaking about data security since 1996. You can read my full Bio.|
- Will your thermostat get you a job as a Spy? Maybe, or it might spy on you according to Dir US Intelligence #IOT lnkd.in/drPurNK 1 hour ago
- VTech toys use T&C's to absolve themselves of any responsibility for personal data loss - it's now YOUR problem - lnkd.in/e8_QCb8 2 hours ago
- Elective website age ratings - breaking down the #OMK age-label initiative. ctogonewild.com/2016/02/09/ele… 1 day ago
- The down-side of actually-useful #Smarthome #IOT. How long it takes to get updates (if ever!). lnkd.in/eC6tyAM 1 day ago
- Cryptography (27)
- Data Loss (69)
- Everything Else (2)
- IOT (12)
- SmartHome (10)
- McAfee/SafeBoot/Intel (43)
- Programming (21)
- Security/Exploits (45)
- My Bio…
- Speaking Engagements
- Programming and Hardware
|fany on Bitmask searches in LDAP, or H…|
|Moritz lenz on Bitmask searches in LDAP, or H…|
|SmartHome 101… on Smarthome 102 – Ele…|
|Smarthome 102… on SmartHome 101 – Plu…|
|One more thing you d… on 10 Things you don’t want…|
- Elective Age Ratings, Breaking down Age-Label
- Smarthome 102 – Electrical
- SmartHome 101 – Plumbing
- One more thing you don’t want to know about bitlocker..
- CIO Review IoT Special Edition, November 2015
- Smart Home or Dumb Home/Smart Cloud?
- Speaking at Mobility Live 2015 on the 28th Oct.
- NY State vs Microsoft customer data disclosure update 4
- Why I want all my lights to be smart…
- Smarthome 2015 – 80’s Computing Throwback?
- Adventures in VBScript – Including code from other files
- Microsoft vs NY State, Still going on..
- Speaking at INTX 2015, Chicago May 5-7
- Understanding Internet Of Things for the Home
- CES2015 – A festival of insecure, unmanaged IOT devices..
- February 2016
- November 2015
- October 2015
- September 2015
- July 2015
- May 2015
- January 2015
- December 2014
- October 2014
- September 2014
- July 2014
- May 2013
- December 2012
- November 2012
- May 2012
- December 2011
- September 2011
- June 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- March 2009
- December 2008
- October 2008
- September 2008
- November 2007