Hypertwish lets cons spear more phish

Powered by SC Magazine
 

Automated Twitter spear phishing.

A security researcher has released an automated tool designed to launch sophisticated and targeted phishing attacks over Twitter.

The Hypertwish tool -- a play on the underlying mathematics in the app and so-called twishing attacks -- went far beyond the common automated phishing attacks where spammers blast out piles of malicious shortened URLs to bait victims before the offending account is banned.

Rather, it compiled and issued tweets based on trust and intelligent randomisation, issued shortened URLs designed to track victims, and exploited relationships between followers to build legitimacy.

"We need a better way of making fake profiles, automating tweets and exploiting trust," said Hypertwish creator and senior penetration tester at Booz Allen Hamilton, Sean Palka.

"You don't want to rely on mass fake URLs ... We only want to create accounts as needed. Some people create thousands of accounts and fall into the trap of [being] predictable".

The tool automated Twitter accounts with the command line client Twidge and crafted phishing tweets by swiping legitimate tweets and hashtags and using context-free grammar.

The latter syntax rules facilitated polynomial growth, which could make a small tweet highly randomised with the application of only a few rule sets.

All this was hidden from the user who saw an interface which simplified account following, tweet stealing, and the generation of coherent random tweets for baiting targets. The engine generated unique tweets when the user refreshed the page.

To make the con more believable, Palka built a graph by tweaking hyperbolic trees within the open source JavaScript InfoVis Toolkit.

This granted insight into follower relationships, allowing attackers to mention followers in tweets to increase the chance that targets would click malicious links.

Attacks were best placed where triangles were created in the tool's visual grid of relationships between Twitter accounts. Those indicated likely trusted relationships, which were useful to social engineers. 

"I can start sending communications to accounts referencing [their followers] and it will look like I know something about them. Or I can include all of them and it will look like I'm forwarding information that's relevant to them," Palka said at the Hack3rcon event this month.

The popular Maltego toolkit could be used to determine these relationships, but Palka said it was tough work to handle the necessary complex filters.

In a simple demonstration of the tool at the recent Defcon security conference, Palka created a fake account, which copied all tweets sent out by event staffer Ryan Clarke.

It was enough to get his fake account ranked higher than Clarke's, and even retweeted by Defcon organiser Jeff Moss, which scored him followers.

Hypertwish also kept an accurate list of victims who clicked malicious URLs via HTTP logs which parsed bots.

Palka found Twitter bots automatically requested URLs but did not dive deeper into the links to examine content.

Hypertwish took advantage of this by redirecting victims via iFrames to target payload sites, a move that went unnoticed by the bots.

The tool can be downloaded free for Linux.

Copyright © SC Magazine, Australia


Hypertwish lets cons spear more phish
 
 
 
Top Stories
First look: Microsoft Outlook for iOS
[Update] Office productivity suite for iOS completed with Outlook.
 
NewSat defaults on $26m in overdue Lockheed payments
Jabiru-1 satellite build hits further hurdles.
 
IBM denies plans to cut 112k jobs
But admits to further restructuring.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  36%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3094

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 986

Vote