Extensive analysis of links posted on the popular Twitter microblogging service has found that Twitter users are contributing to the spread of malicious URLs posted on the site.
Nearly half of the URLs analyzed by security vendor Kaspersky Lab are links posted by Twitter users to websites that attackers are using to spread malware, or marketing sites, which could be considered spam.
The security vendor's analysis system, called Krab Krawler, pulls in thousands of URLs every hour and feeds them into a central database for analysis. The goal is to better understand the intent of the cybercriminals using social networks to spread malware and conduct phishing attacks, said Costin Raiu, chief security expert at Moscow, Russia-based Kaspersky Lab.
"It seems that most of the malicious traffic is generated by users themselves who are unsuspectingly posting links to websites which they think are clean that actually turn out to be infected," Raiu said. "The malware keeps changing every week."
Twitter security problems:
Twitter, Facebook hit by denial-of-service attacks: Twitter was shut down for more than two hours and Facebook service slowed as the ubiquitous social networking websites were hit by denial-of-service attacks.
Should enterprises be concerned with Twitter in the workplace? Expert Michael Cobb explains how concerned you should be with Twitter use inside the company.
Twitter vulnerability project highlights Bit.ly flaws: Link shortening service Bit.ly had several cross-site scripting flaws that could be used to view a user's browsing history, tamper with bit.ly settings and abuse Twitter accounts.
Kaspersky Lab said Thursday that it is using its extensive analysis of shortened URLs posted to Twitter to help protect its customers in the wake of a rising number of attacks targeting social network users. Twitter was targeted by a cross-site scripting worm in April, and the Koobface Facebook worm spread to the microblogging service in June. Over the summer, a denial-of-service attack knocked the service offline for hours.
Krab Krawler runs on Linux; it fetches and extracts URLs that appear in Twitter's public timeline and feeds them into a database for analysis. A set of modules scan each website being linked to by the URL, looking for malware. Raiu said the tool currently analyzes about 500,000 unique URLs per day for malicious content and as many as 1,000 are malware attacks.
About 26% of all Twitter posts contain URLs. The analysis has found some shortened URLs leading users to websites injected with code that deliver a standard iFrame attack. Raiu said much of the malicious malware can be attributed to the Gumblar Trojan, which used an automated method earlier this year to infect vulnerable websites and set up drive-by attacks.
Automated bots are driving much of the malicious traffic by using malicious accounts. The most popular URL leads to an online dating website that has hosted malware in the past.
"It indicates the fact that most of the URLs posted on Twitter seem to be generated by spammers or by people with malicious intent," Raiu said.
Most of the malware spreading on Twitter can be detected by antivirus programs. Raiu said Kaspersky is using its analysis to help bolster its protection. It takes two to 12 hours from the time a link is posted to Twitter for the Krab Krawler analysis to take place and for signatures to be deployed to Kaspersky customers, Raiu said.
Other security vendors offer browser plug-in tools that scan URLs and block them before they can be clicked. AVG Technologies offers LinkScanner, a tool that checks out URLs and strips out any malware they may contain. The tool uses a blacklist of known harmful sites to filter the URL. Security vendor Finjan Inc. has a SecureTwitter tool that issues a warning message when a malicious URL is detected.
Twitter announced a service last summer that internally filters URLS using the Google Safe Browsing API. A number of browser add-on tools enable users to check suspicious URLs before clicking them.