Sep 23rd, 7:52pm EST
Phishing Incident
TwiGUARD created a fake profile and gave the username and password to the phishing site to track messages and how it is used. Below is a screen shot pf the message recieved.
Sep 23rd, 4:45pm EST
Phishing Incident
TwiGUARD is currently tracking a widespread phishing attack taking place on Twitter that involves the compromise of a user account them sending direct messages to al of the account holders friends with a phishing link. The phishing link looks exactly like the Twitter logging page. More information will be posted as needed.
TwiGUARD Analyst Log
Sep 17th, 6:46pm EST
TwiREP
We have been getting a lot of questions about what it is that we do. I wanted to give you a quick peak. We have a proprietary algorithm called TwiREP that can analyze a Twitter user and tell if they are spam or not. We are constantly tweaking this algorithm and testing. TwiREP will assign a user a value between 0 and 100 that reflect how shady you are. a score of 0 means thats a real user where as 100 means you are a spammer. Below is the graph of a 10,000 user analysis run we got from following the public timeline for about 5 minutes. We estimate that about 10% of Twitter traffic is spam.
Sep 11th, 2:16pm EST
HowToHack
The following is information gathered by TwiGUARD during the HowToHackIncident.
TwiGUARD started tracking it: Wed Sept 9th with the Threat Level raised to two at 3:30pm.
Keywords used: How to Hack
These keywords were followed by a phrase such as “xbox” or “hotel cable” along with a bit.ly link. The bit.ly link appears to be different for each post and in the collected information no collisions were observed.
The Users:
rebewhite
marydelakoko
perrynell
dailychin
razerdemo
newketket
martinse7en
mrdeeegle
giiive
pepycola
kirstyroberts91
Twitter killed it: The last post TwiGUARD saw was around 9:49am. All user accounts have been suspended.
All of the accounts were created on Monday Sept 7th between 1350 and 1410 GMT.
The total run of the incident was roughly 92 hours.
Each account sent an average a rate of 33 tweets per hour. For the 92 hour run it could be assumed that each account produced 3,036 tweets. A total of all 12 accounts could have produced around 36432 tweets.
TwiGUARD captured 5389 of these tweets or around 14.7 percent.
Of that 14.7 percent we know that the link was clicked on a total of 8755 times or an average of 1.6 clicks per link. We can extrapolate that the link was clicked on a total of 58,291 times during the incident.
Interesting notes:
This information only targets the main accounts used to spread the malware links. Some accounts that use an automatic re-tweeting function spread some of the messages but since they were just repeating the same links and clicks on those links would have been recorded. A total of 47 accounts were observed automatically re-tweeting the links.
At the initial investigation time only 3 AV engines caught the malware. At the time of writing 22 AV engines detect the malware.
A link to the F-Secure analysis of the malware.
Sep 11th, 1:38pm EST
HowToHack
TwiGUARD threat level has been reset to 1. Twitter has killed the HowToHack accounts. We will post a follow up including statistics shortly.
Sep 9th, 10:14pm EST
HowToHack
The HowToHack incident continues to affect twitter at a rate of 5 messages per minute. This rate has remained steady since we have started tracking this incident. The low message rate is the reason the threat level is at 2 and not 3.
This will be the last status update on HowToHack unless new information comes to light.
Sep 9th, 5:18pm EST
HowToHack
TwiGUARD has obtained a malware sample from the “How To Hack” attack. The file that you are prompted to download is called flash-plugin_update.45194.exe. The sample was submitted to
VirusTotal and only 3 AV engines detected it. You can view the scan
here.
Wed Sep 9th, 3:30pm EST
Threat Level Raised to 2: HowToHack Malware
TwiGUARD is tracking a current phishing threat on Twitter. The malicious tweet will contain the text “How to hack”. Clicking on this link will redirect your browser to a site that attempts to infect malware. Currently the users that are spreading the tweet are newketket, martinse7en, pepycola, dailychin, and razerdemo although more bots are coming online every minute. Do not click on these links and block any user tweets the the “How to hack” string and attempts to follow you. If this phishing attack continues to grow the threat level will be escalated to level 3. We will update this page as more information becomes available. Below is a screenshot of a bad profile.
