Evil Twitter… Finding malware amongst the maelstrom..
Would it surprise you to know that yesterday, more than 5000 tweets were posted with URLS which would have dropped you on sites which distribute malware?
It was only a small portion of the total number of tweets containing URLs, around 2.5 million or so, and there were an additional ~200,000 that went to sites about which McAfee was not too sure about the status (we are busy scanning them, as we do all sites which come to our attention where we don’t have a “reputation”). Still – there were 5000 tweets, guaranteed to get you in trouble.
You can guess perhaps, that for a while now McAfee, or rather my Innovation Team has been working on a project to generate some deep analytic evidence from the Twitter fire hose – We’re trying to answer the question “how do you apply the concept of reputation to a social media system?” Knowing how cyber-criminals use Twitter to entice people to visit their sites is just the first step in the process.
Our project lets us probe the the Twitter stream for malware related concepts – some interesting things you can see from the charts below for example, that there’s a pretty consistent trend of tweets containing URLs to malware which follow the general twitter tweet rate.
When you compare to the known good, and currently unflagged sites (a small portion of which may turn into bad sites over the next few days)
If this was not bad enough, the vast majority of the tweets are shortened links, either by twitters built in engine, t.co, or one of the hundreds of other link shortening engines like http://mcafe.ee and http://bit.ly.
Yes, you read that right – people try to propagate malware over Twitter, using McAfee’s GTI protected short link service – what are they thinking?
Looking at the average user experience, not only are they unaware that tweets may contain links to malware, but the links are “obscured” by short URL services, making it even easier for you to be tempted to…
“Click here to see pictures of cute puppies – http://mcaf.ee/09db36“
Digging a little deeper, It’s interesting to look at the domains these links are coming from – for example, in the last 24 hours looking at all tweets with URLS, and taking the top offenders of known bad URLS (ones guaranteed to get you in trouble)…
Curious don’t you think that there’s not one safe, suspicious or unknown tweet to these domains? That every single tweet in the last 24 hours containing a URL to these domains would have dropped you on a know malware site?
In a future blog, I hope to be able to tell you more about the engine we’re using to generate this data – it’s not as simple as it may seem on the surface (try absorbing hundreds of tweets a second and expanding all the URLS to work out the final destination, then working out the GTI reputation of that destination etc), but thought this result interesting enough to share.
Next for us, is looking at user behavior – we can already pick out known “bad actors” – accounts which only ever propagate malware, but we are thinking about the problem of users whose tweets are mostly good, with the occasional bad one – how do they fit into the equation?
And of course, on the horizon for 2012 are products using this data – would you like these bad tweets stripped out of your feed, or flagged in your Tweet reader? Would you like to have these known “bad users” and domains automatically ignored?
|Simon Hunt is the Chief Technology Officer for Intel Secure Home Gateways, and formally the CTO for McAfee's Enterprise Endpoint group. Simon has been designing, implementing and speaking about data security since 1996. You can read my full Bio.|
- If you're a UK TalkTalk customer - CHANGE YOUR WIFI PASSWORD! This issue is too big to ignore. Do it right now! - lnkd.in/gMZeR7k 1 day ago
- Great to see behavioral analytics "move into enterprises", though it has existed for a decade if not longer. lnkd.in/gn5aw8N 3 days ago
- Excellent product pitch advice for tech companies from McAfee Alumni and industry leader Joe Sexton - lnkd.in/gE2wJXm 3 days ago
- Would you pay a cyber-ransom to unlock your smart TV? Would you feel it was your responsibility or the makers? lnkd.in/eaRW-EB 1 week ago
- Cryptography (29)
- Data Loss (71)
- Everything Else (4)
- IOT (15)
- SmartHome (13)
- McAfee/SafeBoot/Intel (43)
- Programming (22)
- Security/Exploits (45)
- My Bio…
- Speaking Engagements
- Programming and Hardware
|NY State vs Microsof… on NY State vs Microsoft customer…|
|fany on Bitmask searches in LDAP, or H…|
|Moritz lenz on Bitmask searches in LDAP, or H…|
|SmartHome 101… on Smarthome 102 – Ele…|
|Smarthome 102… on SmartHome 101 – Plu…|
- Buying or selling a smarthome? Watch out for amnesia!
- It be that time o’ year again – 19th September, International Talk Like A Pirate Day
- SafeSkies TSA Master Key reverse engineered
- Realtors define “smart home” – but there’s a catch.
- NY State vs Microsoft – Part 5
- Smarthome Survey Shows Safety Is No.1 Concern
- How could Apple help bypass an iPhone Pin?
- Elective Age Ratings, Breaking down Age-Label
- Smarthome 102 – Electrical
- SmartHome 101 – Plumbing
- One more thing you don’t want to know about bitlocker..
- CIO Review IoT Special Edition, November 2015
- Smart Home or Dumb Home/Smart Cloud?
- Speaking at Mobility Live 2015 on the 28th Oct.
- NY State vs Microsoft customer data disclosure update 4
- November 2016
- September 2016
- July 2016
- March 2016
- February 2016
- November 2015
- October 2015
- September 2015
- July 2015
- May 2015
- January 2015
- December 2014
- October 2014
- September 2014
- July 2014
- May 2013
- December 2012
- November 2012
- May 2012
- December 2011
- September 2011
- June 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- March 2009
- December 2008
- October 2008
- September 2008
- November 2007