Get caught by an experimental security project

Sep 9, 2009 08:27 GMT  ·  By

Some of the spam bots that roam Twitter on a daily basis have smartened up and are now re-posting other people's legit tweets in order to pass as real users. The discovery was made with the help of a new Twitter security service that is being tested by Errata Security.

Two days ago, an Atlanta-based vulnerability intelligence and consultancy company called Errata Security released an experimental project called TwiGUARD. The service employs in-house-developed technology to scour Twitter for spam and malware threats and build a database from its findings.

The gathered information is used to calculate reputation scores for both Twitter users and links embedded in tweets. The goal is to use these scores to remove offending accounts from a user's followers list or warn them of a potentially malicious URL. According to the TwiGUARD website, a number of 1,295,371 accounts has been parsed so far and the 3,127 tagged as bad are currently being tracked.

Additionally, a general Twitter security status is being displayed and updated in real time. This status comprises three potential threat levels: "normal," which means that there are normal levels of malicious activity, "possible threat," meaning an increased activity that points to a larger attack coming soon and "widespread attacks," which are pretty much self-explanatory.

Even though it is in its first stage of development, the technology is already paying off and has helped make some interesting discoveries, for example that some spam bots are impersonating real people by stealing their tweets.

While recently tracking a "free money"-themed spam, the TwiGUARD analysis tool marked an account spreading it as bad. However, when manually checking the user's feed, David Maynor, Errata Security's CTO, noticed that it appeared to be legit because of other timely and normal-looking tweets.

"Then a lightbulb went off in my head. I copied the non-spam looking posts into the Twitter search engine and found a young lady in Iowa had tweeted the exact quote an hour before. The spambot had simply stolen her tweet and copied it in order to appear as a legitimate person," the researcher notes.

On a closer inspection, Maynor found multiple bots that displayed this behavior. He determined that they were tracking the top 10 "Trending Topics" and re-posted the messages of people who replied on those subjects. "I feel like a parent who has been surpassed by his kid. I was fooled by the spambot, but my tool wasn’t," the Errata Security expert concludes.