lolloj - Fotolia
Security researchers have reported further evidence of cyber attackers abusing legitimate tools after the discovery of networks of hundreds of thousands of fake accounts lying dormant on Twitter.
News of the discovery comes just a week after Forcepoint researchers reported that the Carbanak cyber crime group was using Google services to issue its command and control (C&C) communication to malware to evade detection.
Twitter accounts can be used in a similar way, as well as for boosting follower numbers, sending spam or tweeting messages on behalf of groups attempting to influence popular opinion.
“We have seen malware that uses Twitter as the means of communicating with its C&C server – so blocking that communication is not easy as it would mean blocking Twitter,” said Ian Pratt, co-founder and president of security firm Bromium.
The Twitter protocol is perfect for C&C communications because it is all encrypted and it not generally regarded as suspicious, he told Computer Weekly.
“Twitter is a great C&C channel because most organisations allow Twitter and they are not particularly looking at it, and so an attacker can create a fake account to tweet commands to fly under the radar of what most people are looking for,” said Pratt.
The Twitter account networks were discovered by graduate student Juan Echeverria, a computer scientist at University College London, who noted in his research that a large number of Twitter users are bots or accounts that are centrally generated and controlled by a single botmaster.
The research reported on the discovery of a botnet with more than 350,000 fake accounts, dubbed the Star Wars botnet because most of the tweets associated with the bots were random quotations from Star Wars novels.
“These bots exhibit a number of unique features, which reveal the profound limitations of existing bot detection methods,” the research report said.
Echeverria found that tweets from the Star Wars bots often came from places where nobody lived, which would not be detected by existing scanning methods.
Read more about cyber attack tools
- Criminal activity has become the top motivation for distributed denial-of-service attacks as the average attack becomes strong enough to down most businesses.
- Social engineering tops the list of popular hacking methods, underlining the need for continuous monitoring, according to security firm Balabit.
- UK firms are operating from a reactive security posture and tending to symptoms, rather than causes, and yet still believe they can detect threats faster than the industry average.
- Without using any exploits, hackers can turn synchronisation services such as Dropbox, GoogleDrive and Box into a devastating attack tool, warns Imperva.
He believes his findings have significant implications for cyber security, not only because the size of the botnet is larger than those analysed before, but also because it has been well hidden since its creation in 2013.
“More research is needed to fully understand the potential security risks that a large, hidden botnet can pose to the Twitter environment,” the research report said.
Echeverria said it would be irresponsible to assume that the botmaster does not have any cynical or malign purpose.
“In fact, the best we can hope for is that the botnet was created purely for commercial gains,” he wrote. “It is known that pre-aged bots could be sold at a premium on the black market.
“This means the Star Wars bots are perfectly suited to be sold as fake followers because they are already three years old and therefore more ‘valuable’.”
While there is evidence that some of the Star Wars bots have been sold as fake followers, there is a possibility that the whole botnet could be sold for more malicious purposes.
“The cyber security community must appreciate and assess the potential threats of such events, so that proper remedial procedures can be developed,” the research report said.
Amazing and surprising
Shi Zhou, a senior lecturer from UCL who oversaw Echeverria’s research, said it was “amazing and surprising” to discover the huge networks.
“Considering all the efforts already there in detecting bots, it is amazing that we can still find so many bots, much more than previous research,” Zhou told the BBC.
He said Twitter deserved praise for its work on finding and eliminating bots, adding that it was clear the hackers behind the Star Wars botnet had found ways to avoid detection.
More recent research has uncovered a bigger network of bots that appears to include more than 500,000 accounts.
A Twitter spokesman told the BBC that the microblogging service had a clear policy that prohibited automated responses that was strictly enforced. “Although we have systems and tools to detect spam on Twitter, we also rely on our users to report spamming,” he said.