Thursday, May 25, 2017
Home / Security / Information / Twitter URL Shortening being utilized by spammers

Twitter URL Shortening being utilized by spammers

Andrew Conway out of San Francisco-based Cloudmark, an organization that provides security against email threats, accounts that at this time, over fifty percent of the short links blacklisted by them use Twitter’s service.

He explained how the spam utilizing t.co short links will come in waves that last between four and six weeks, one reason for this most likely being the period of time necessary for Twitter to recognize the attack and modify its abuse filters to avoid users from reaching malicious pages.

As outlined by Conway, the analysis of a sample of 1,200 t.co links gathered in a single week (July 22 – July 29) from emails noted as possible spam to Cloudmark’s systems said that only 59 of them (about 5%) were known as malicious by Twitter and access to the webpages they where directed to was blocked.

81 of the links (7%) were properly used and sent to risk-free destinations; but many of them, 1,060 links making up 88%, were functional and redirected  to sites that had been previously marked as spam by Cloudmark; the majority of them are Russian domains.

“The t.co link redirects to a URL on a compromised domain, and that in turn uses a REFRESH meta tag to redirect to the spam landing page. This dual layer of redirection seems to be fooling Twitter. Compromised domains generally have good reputation and legitimate content on other links, so they are less likely to be blocked outright, but the spammer can use multiple malicious URLs on each one to redirect to his ultimate landing page,” stated Conway in a blog post.

All of this definitely makes the malicious campaign slightly tougher to discover also it’s much harder to interrupt its activity by blacklisting the t.co links taking users to the destinations with phony products.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …