Twitter accounts hijacked using malware that injects JavaScript code and sends malicious tweets

twitter-1 twitter-1

TwittercoolA Man-in-the-Browser (MitB) attack is being used to infect PCs, gain access to Twitter accounts, and send malicious tweets. Since the messages come from existing legitimate Twitter users, some are being duped as they trust those who they follow.

This particular attack, was discovered by security firm Trusteer, and is being carried out by injecting JavaScript code into the Twitter account pages of the victims. The malware collects the users’ authentication tokens, letting it make authorized calls to Twitter’s APIs, which it then in turn uses to post new malicious tweets on behalf of the victim.

This appears to be a localized attack right now, but there’s nothing stopping it from staying that way, according to Trusteer:

At this time the attack is targeting the Dutch market. However, because Twitter is used by millions of users around the world, this type of attack can be used to target any market and any industry.

The malware is currently sending out tweets with Dutch text such as:

  • “Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris” (English translation: “Our new King William will earn even more than Beatrix. Check his salary”)
  • “Beyonce valt tijdens het concert van de superbowl, zeer funny!!!!” (English translation: “Beyonce falls during the Super Bowl concert, very funny!!!!”)
  • “topman [Dutch Bank] gaat ervandoor met onze miljoenen!! De minister heeft weer het nakijken… zie” (English translation: “CEO of [Dutch Bank] is off with our millions!! The minister is inspecting again… see”.)

The text for these tweets could be swapped out for something else in Dutch, as well as internationalized to target users in other countries around the world. While the security firm found the above texts in multiple Twitter posts, meaning the attack has been successful in getting victims to click, the good news is that the malicious links being used appear to be currently inactive.

The threat in question has been used in the past as financial malware that can gain access to user credentials and target their financial transactions. This particular variant appears to be geared instead to spread across Twitter.

Credit: TNW