Simon Says – Musings of a Technology CTO

Would it surprise you to know that yesterday, more than 5000 tweets were posted with URLS which would have dropped you on sites which distribute malware?

It was only a small portion of the total number of tweets containing URLs, around 2.5 million or so, and there were an additional ~200,000 that went to sites about which McAfee was not too sure about the status (we are busy scanning them, as we do all sites which come to our attention where we don’t have a “reputation”). Still – there were 5000 tweets, guaranteed to get you in trouble.

You can guess perhaps, that for a while now McAfee, or rather my Innovation Team has been working on a project to generate some deep analytic evidence from the Twitter fire hose – We’re trying to answer the question “how do you apply the concept of reputation to a social media system?”  Knowing how cyber-criminals use Twitter to entice people to visit their sites is just the first step in the process.

Our project lets us probe the the Twitter stream for malware related concepts – some interesting things you can see from the charts below for example, that there’s a pretty consistent trend of tweets containing URLs to malware which follow the general twitter tweet rate.

When you compare to the known good, and currently unflagged sites (a small portion of which may turn into bad sites over the next few days)

If this was not bad enough, the vast majority of the tweets are shortened links, either by twitters built in engine, t.co, or one of the hundreds of other link shortening engines like http://mcafe.ee and http://bit.ly.

Yes, you read that right – people try to propagate malware over Twitter, using McAfee’s GTI protected short link service – what are they thinking?

Looking at the average user experience,  not only are they unaware that tweets may contain links to malware, but the links are “obscured” by short URL services, making it even easier for you to be tempted to…

“Click here to see pictures of cute puppies – http://mcaf.ee/09db36“

Digging a little deeper, It’s interesting to look at the domains these links are coming from – for example, in the last 24 hours looking at all tweets with URLS, and taking the top offenders of known bad URLS (ones guaranteed to get you in trouble)…

Curious don’t you think that there’s not one safe, suspicious or unknown tweet to these domains? That every single tweet in the last 24 hours containing a URL to these domains would have dropped you on a know malware site?

In a future blog, I hope to be able to tell you more about the engine we’re using to generate this data – it’s not as simple as it may seem on the surface (try absorbing hundreds of tweets a second and expanding all the URLS to work out the final destination, then working out the GTI reputation of that destination etc), but thought this result interesting enough to share.

Next for us, is looking at user behavior – we can already pick out known “bad actors” – accounts which only ever propagate malware, but we are thinking about the problem of users whose tweets are mostly good, with the occasional bad one – how do they fit into the equation?

And of course, on the horizon for 2012 are products using this data – would you like these bad tweets stripped out of your feed, or flagged in your Tweet reader? Would you like to have these known “bad users” and domains automatically ignored?

(https://blogs.mcafee.com/consumer/evil-twitter-finding-malware-amongst-the-maelstrom)