Okay
Ok, so it generates hits on the obfuscated URL. Does that constitute "landing a victim", though?
Twitter scammers have a new weapon with the release of an effective spear phishing tool that lands a victim almost two thirds of the time, dwarfing the usual five-to-fifteen-per-cent-open-rate for spam tweets. The SNAP_R machine learning spear phishing Twitter bot is a data-driven menace unleashed at the Black Hat security …
Let me try an analogy.
It's Monday morning and a colleague says to you "On Sunday I watched a great film."
If you think the colleague has good taste in films, would you
A) Ask "What's the name of the film?" and request that they not tell you anything about it because you're going to watch it, OR
B) Ask them to give you a detailed summary of the plot and critical review?
The _concept_ behind Twitter was actually great.:
a) nobody can contact you unless you specifically allow them to contact you
b) messages must be short
That structure makes it easy to ignore people and means that you can quite quickly scan and pick out interesting/relevant info and links.
The only problem is that the concept can't make money, so you get adverts/spam.
This is not a new risk, which is why I do not accept shortened URLs from anyone but those who I know to not pass on 3rd party ones. There are some schemes that allow you to see the full URL beforehand, but they're rare, and I can see from a full URL if there's data in there that I do not want to trigger.
Even a "benign" URL from, say, the Guardian quite often contains extra tracking data that you can strip off, but you won't see that in a shortened version.
I partially blame this on not clamping down on domain name hoarders so we end up with http://theridiculouslongdomainnamesbecausetheshorteronesarehoarded.com which promotes the use of shorteners to keep the Net usable.
This is not a new risk, which is why I do not accept shortened URLs from anyone but those who I know to not pass on 3rd party ones.
The problem here is trusting any url, especially one presented to you in an app. The reason CLICK HERE is used so often is that social engineering works for every none, not just evil hackers.
There are manifold further problems with URLs: If I sent you a link to example.com/thisisreallysafe/ how do you know I am not going to use a dynamic rewrite to send you to example.com/thisisreallybadshiz ? Do you mitigate this by only going to links on sites you already know and trust the TLD?
Millions of people click on links to new sites and services every day. Few are as obvious as example.com/exploitkitpage.
@AC - The problem is everyone will click on a link about something from a "trusted" source but only a very small number need to be malicious to bad guys to nail enough users. It is realistically impossible to be able to vet every link in tweets, emails, posts, etc.
Since when did 'between 30-60%' constitute nearly two thirds?
Two thirds is 67% rounded up, so 60% is "near-ish".
Have I stumbled onto the Daily Mail in error?
The article contained words with more than two syllables and its headline wasn't all in capitals, no so :).
Besides, they would have considered two thirds "the whole world".
@AC
Yes I get that 60% is near 67% which is two thrirds (if you ignore the 10% variation of course, but what's that amongst friends) except the article stated the values as between 30-60%; take a median and you're at 45%, so less than half.
It just seems to me to be a bit of a stretch to claim two thirds from the values on offer. Try making asumptions like that in an acadmeic piece and see where it gets you
It wouldn't be too much to ask for these major media players to train their users a bit would it?
For example, a PR campaign that uses phishing techniques to push people to a web page that tells them that they "have just been landed, their PC could have been compromised, and oh, by the way, that link you clicked without thinking about it was what go you into hot water"
plus
"Here are a few tips on staying safer"
I know it would be a drop in the ocean, but every little bit helps. The more people do it, the more it seeps into the general mindset of the population that being careful online is as important as not leaving your wallet on a bus seat.
"Offensive security research, even among white-hat hackers, has helped the community to 'think like attackers' and enhance defensive technologies. However, this research comes at a significant cost and there are new arguments emerging that the work of the benevolent security research community is driving down the cost and complexities of attacks against computer networks.
There is a growing sentiment that the intellectual pursuit of exploiting software vulnerabilities and defeating mitigations is simply providing a roadmap for the bad guys to break into computer systems. " - Virus Bulletin.com
Sorry if I am being too literal. Feeling a wee bit Vulcan today.
Given that this tool will likely created a reasonably-relevant Tweet which presumably would send me to a compromised page how the hell am I supposed to protect myself against this?
Harden your device - patch, control permissions, lock down apps, go via a proxy/firewall and have an up to date, working, AV.
Dont focus on the short URL threat otherwise you'll just as easily get pwnd by a flash based advert hosted by Yahoo on a legitimate website.
Short URLs are a PR gambit to talk about hacking threats - they arent significantly worse than clicking on any URL to a website you dont know, even sites you do know can have compromised pages.
Twitter can intercept all hyperlinks and provide a warning page with the resolved shortlink. Something along the lines of "You are now leaving Twitter and being redirected to <<full hyperlink here>>." If the shortlink is from a source that will not let Twitter resolves it, provide an additional warning: "We could not resolve the shortlink to the full hyperlink. Scammers and malware creators often used dodgy shortlinks. Proceed at your own risk."
It would need to be better worded, but you get the idea.