14 DAY TRIAL // Twitter has announced that URLs posted via Direct Messages will be screened by a new service, which blocks phishing and other attacks. The links are automatically shortened to a twt.tl form, so that they can be blocked at any point in the future.
Twitter was recently confronted with a wave of highly successful phishing attacks, which abused the Direct Message feature to steal users' credentials. Spam was later posted from the compromised accounts, including some belonging to high profile individuals, who fell victim to the scams.
"First, accounts compromised […] send out messages to all accounts following them. Second, accounts that are newly compromised send out more messages. Third, the scammers behind the phishing attack make an attempt at monetization by sending out spam links instead of links to a fake login page. We fight phishing scams by detecting affected accounts and resetting passwords. However, it's better to stop them before they start," explained Twitter's co-founder Biz Stone back in February.
It seems that Twitter has since developed a more pro-active approach at fighting phishing, which should significantly decrease its incident response times. "Today, we’re launching a new service to protect users that strikes a major blow against phishing and other deceitful attacks. By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter," announced Del Harvey, director of Twitter's Trust and Safety team.
For now, the new service only impacts Direct Messages and their accompanying email notifications, but it could be expanded in the future. Ms. Harvey explains that the URLs will also be shortened using a fresh twt.tl domain, but our tests revealed that only the ones sent in email notifications are subjected to this treatment.
Routing URLs through a shortening service under Twitter's control is a very practical approach at limiting the window of exposure to an attack. This is because, unlike links included in regular tweets, the ones posted in direct messages are also being sent via corresponding email notifications. And while Twitter can easily mass-delete instances of a malicious URL from its website, it cannot call back emails.
Not to mention that the notifications are sent from a @postmaster.twitter.com email address, which could be viewed as the company propagating malware. With the new service, an attack can be mitigated by suspending the twt.tl alias of the malicious URL.
Unfortunately, Ms. Harvey did not disclose any technical details about the prevention part of the new service, such as what is being used to determine if a URL is malicious or not. Is it a blacklist? And if yes, is it a public one, one from a security vendor or a combination of multiple blacklists? Instead, she only credited Bill Farner and Ram Ravichandran, two other Twitter employees, with building the system.
