As many of our readers know, the Internet is constantly under attack with new threats appearing each and every day.  Blackhat SEO attacks, which intertwine malware campaigns with relevant and timely news items are an everyday thing now.   A year ago, a new Blackhat SEO or trending topic attack targeting the latest search terms on the Internet was an exciting day at the office, but now we have gone as far as developing automated techniques in the labs to detect and protect against these real-time threats.

If you’ve been following our past posts on trending topic attacks,  then you know that we like to get down and dirty in analytics.  So without further ado…

We were alerted of a new trending topic attack today on Twitter by a fellow threat researcher.  Like the past Twitter trending topic attacks, this one was heavily targeting recent news breaking items such as the suicide bombings in Moscow, as well as many other hot topics on the Internet today.

I took an in depth look at the campaign and uncovered some interesting stats on the attack:

  • The attack started on 2/22/10 and is still active today
  • 1,888 Twitter accounts (and growing) have been used to spread the attack URL
  • 835 of the 1,888 accounts used in the attack were non-malicious or robots retransmitting the malicious URL automatically
  • 2,560 malicious tweets were sent out
  • 3,409 target phrases were used in attack
  • 9,588 websites linked back to the malicious sites involved in the attack
  • The malicious links were clicked on 25,854 times.
  • 78% of victims came from the United States, 12% from Korea, and 8% from Germany.

Hundreds of malicious tweets appeared on Twitter coupled with target phrases and links to the following fake codec infection site:

Fake video codec malware
Fake video codec malware

The file served up by the site installs the Adware/SecurityTool rogueware, which Panda Security customers are already protected against.

Analysis

Twitter staff quickly reacted to the campaign today and removed all (or most of) the 2,560 malicious tweets.  Taking a look at the traffic of the incoming clicks, we can see that most of the victims came from the United States followed by Korea and Germany for 2nd and 3rd place.

Twitter Trend Attack : Top Clicks per Country
Twitter Trend Attack : Top Clicks per Country

What was targeted?

If your familiar with my Blackhat SEO research, then you’ve probably seen the tag clouds that I generate to determine what phrases are being targeted.  In the case of Twitter trending attacks, however, it doesn’t make much sense to generate a tag cloud as the phrases are constantly changing with real-time events. Fortunately for us, this is a month long capture, so we’ll take a look and see what was targeted over the past month.

Top 50 phrases out of 3409

Tag Cloud for Twitter Trend Attack
Tag Cloud for Twitter Trend Attack

Top 10 Targeted Phrases

  1. Free (448 mentions)
  2. Teen (384 mentions)
  3. Sex (381 mentions)
  4. Nude (312 mentions)
  5. Porn (305 mentions)
  6. Videos (259 mentions)
  7. Girls (252 mentions)
  8. Adult (229 mentions)
  9. Gay (188 mentions)
  10. Justin Bieber (116 mentions)

As we can see, the most frequently targeted phrases are Free, Teen, and Sex.  It’s obvious from this analysis that while the campaign is actively targeting hot news items, the main focus is to lure those looking for pornography videos on the Internet. This is no surprise to us, as the infection site is a fake codec downloader and it would make more sense to advertise porn videos in order to maintain a higher conversion rate.

What surprised us in this attack?

The most alarming part of the attack was the 25,854 clicks made to the malicious URL.  It caught my attention because the click rate seemed a bit high for 1,888 Twitter accounts spreading the attack URL around.  I took a deeper look and found some major sites helping advertise the malware campaign on the Internet.

Huffington Post : Promoting a Malware Campaign
Huffington Post : Promoting a Malware Campaign

The Huffington Post is one of the sites that inadvertently helped promote the malware campaign on the Internet.   It happened because The Huffington Post has a Twitter stream embed on their site, which matches up similar tweets (what the community is saying) to a story.

Conclusion

Google  recently made some noise about introducing real-time search results, and as a threat researcher, the security implications were the first thing on my mind.  By utilizing real-time search features, cyber criminals are able to take advantage and publish their malicious URL’s on websites which receive millions of viewers (not to mention the SEO benefits) and this is the perfect example to demonstrate that.  Blackhat SEO and Trending Topic attacks are here to stay until search engines and social networks get their act together and start aggressively monitoring and blocking them.   At Panda Security, we have a little motto.  “If the users wants to work in real time, then we must PROTECT in real time. ;”)