How an innocent tweet can infect thousands

The security world has been flooded the past few months with security breaches and attacks leveraging the social network prowess of Twitter. A recent study revealed that ¼ active Twitter accounts are actually used for scams or to serve up malware.
It isn’t surprising and actually quite boring. It is the same old Phishing over and over again. When a new popular social tool comes out, people exploit it. No new news here.
What I wanted to give an example of however is the potential risk to a particular group of Twitter users. People with Twitter accounts who have a high number of followers are obviously higher targets. Bad guys will try and break into these accounts (usually due to weak passwords management or by Phishing and then spam their malicious links to the person’s followers).
People with a high number of followers (high profile people or celebrities) ‘generally’ are aware that their social networks will always be a target of hackers. Look at Sarah Palin and the Paris Hilton email fiascos. Celebrities or high profile people will have stronger passwords if you think they do or not (there are exceptions as represented above!).
So where is all this going? Well I stumbled across this article the other day.
The article shows how Conan O’Brien, who is one of the most followed Twitter users, decided to announce and follow one ‘lucky person’ at random. Not only did all of Conan’s followers see this and click into her profile, but news stories around the globe started publicising it. Last check on her Twitter page Sarah Killen (http://twitter.com/lovelybutton) now has close to 28,000 followers. This is a 19 year old girl from Michigan who had hardly any Twitter followers, is preparing herself for the transition to College and declares she ‘loves to smile and have fun in life’. Her 21 year old fiancé has also asked Conan to be his best man at the wedding.
Now that’s all well and good. But this got me thinking. I have been around security long enough to know the average person’s lapse in password security. If the passwords aren’t easily guessable, then you can look deeper into their online social personas and start to know who they are and what they like. You would eventually be able to get that password with simple data mining and a few searches. I mean, almost her entire life and relationships have been published in detail.
So you can probably figure out what I’m saying. Do you think this girl would have a strong enough password to ward of any potential hackers? Do you think she has been educated in online safety and know not to click on links from people she doesn’t know? She mentions she has been getting hundreds of emails from news papers and radio stations asking for interviews and to offer her money and prizes. She is saving up money for her wedding, so I’m sure she might at least look at some of these emails. Spear Phishing would be perfect in this case IF her password security was stronger than the average person. If that still didn’t work, other attacks are available. Due to her new found stardom, she received a brand new iMac from a generous Florida ‘Business Man’ to help her with her studies (what business might he be in? The planting backdoors on iMac business? ;)
Of course as she gained popularity, she herself or someone may have informed her about potential risks and she may have attempted to secure herself. I don’t know. But one thing I do know is that hackers are opportunists. As soon as they see potential for something, they spring on it. If I was a betting man I would say someone probably saw this news break and got to work at getting into her account. Maybe they still have access? Maybe not. Who knows.
But who would want to take over her account? Well, speaking of Spear Phishing, she has 28,000 followers on twitter. Most of these followers are fans of Conan O’Brian. She could tweet something along the lines of ‘Just met Conan.. ah he is so amazing lol. I look so goofy though ‘insert malicious link here’ . Next thing you know, 28,000 new clients into a botnet! (or worse)
This is why I love Information Security so much. The threat landscape is always changing. You need to use creative-logic and to think outside of the box to become aware of potential risks we face today online. Good luck LovelyButton!