Cybercrooks descend on Twitter with spam, attacks

Security expert is starting to see a "groundswell of attacks" on Twitter.

ByABC News
July 5, 2009, 10:38 PM

— -- Cybercriminals are rapidly using Twitter the popular Web-messaging service to direct users to websites that sell porn and fake drugs and trigger promotions for fake anti-virus subscriptions.

"We're starting to see a groundswell of attacks," says Dan Hubbard, chief technology officer at Websense, an Internet security firm. "Spam is usually the first bad thing we see before it escalates to things more nefarious."

An escalation seems inevitable. Anyone can sign up anonymously for a Twitter account and begin pushing unfiltered messages across the Internet.

Another problem: Twitter's intensive use of shortened Web links, or URLs, which let you point to Web pages in short messages. That has made it easy for cybercrooks to spread infectious URLs that can give an attacker control of your PC, says Stefan Tanase, researcher at Kaspersky Lab, which makes anti-virus software.

Bad URLs have become so prevalent on Twitter in the past several weeks that active Twitterers are seeing several a day.

"The more active a Twitter user is, the more attacks he or she is seeing," says Tanase.

Attackers also are exploiting security weaknesses in popular Twitter add-on services. For example, last week someone cracked photo-sharing service TwitPic and stole Britney Spears' Twitter log-on. The person sent messages, called tweets, to the pop singer's followers saying she had died.

Cybercriminals could easily use similar security flaws in Twitter add-ons to take control of users' PCs, steal their data and hijack their online bank accounts.

Twitter co-founder Biz Stone says Twitter takes malicious attacks seriously.

"We understand that this job is never done, so we are actively recruiting staff and developing tools to combat spam and enhance security," says Stone.

Twitter has issued a list of suggested security practices that add-on developers should follow.

But the advice is "basic information" and lacks any enforcement mechanism, says PandaLabs researcher Sean-Paul Correll.