Green Coffee and Spam: Elaborate spam operation on Twitter uses nearly 750,000 accounts
Lone spam operator impersonated major brands and reality TV stars to promote miracle diet pill spam.Read More
Lone spam operator impersonated major brands and reality TV stars to promote miracle diet pill spam.Read More
Operador solitário de spam se fez passar por grandes marcas e estrelas de reality shows para promover spam de pílula de dieta milagrosa
Read More
Un operador de spam solitario logró que grandes marcas y estrellas de TV promovieran pastillas milagrosas para bajar de peso
Read More
A Symantec chama atenção para a mais recente ameaça online que usa o chamariz da “dieta milagrosa” para aliciar internautas descuidados, usuários das redes sociais. De acordo com a companhia, o golpe consiste em atrair indivíduos ávidos para emagrecer a clicarem em links que prometem dietas eficazes e revolucionárias, para então, redirecioná-los a páginas promocionais e convencê-los a comprarem os produtos.
Neste contexto, os criminosos virtuais preferem os meios sociais de comunicação para tentar atrair um maior número de usuários, expor suas identidades e obter ganhos financeiros. De acordo com o Relatório Anual da Symantec sobre Ameaças à Segurança na Internet, durante 2013, mais de 552 milhões de identidades foram expostas na Internet por meio de ataques virtuais.
No caso específico desta ameaça, a Symantec destaca o grande número de sites e contas do Twitter que foram comprometidas e utilizadas pelos cibercriminosos para espalhar o SPAMs maliciosos por meio da Engenharia Social. Um dos exemplos de ataques online ocorreu na página projetada para parecer idêntica ao site oficial da Women’s Health.
Figura 1. Página promocional falsa projetada por criminosos virtuais.
Nesta recente campanha, contas pertencentes a atletas, políticos, produtores de televisão, blogueiros, comediantes e outras figuras públicas foram comprometidas e possibilitaram aos hackers atingirem centenas de milhares de seguidores de cada perfil. As celebridades são alvos frequentes, procuradas pelos criminosos para ajudar atrair mais vítimas e aumentar as chances de convencer alguém a clicar em seus links e talvez até mesmo comprar o produto que propõe grandes perdas de peso.
Figura 2. Contas comprometidas de duas figuras públicas: a primeira, de um jogador de futebol americano e, a segunda, de uma modelo dos Estados Unidos.
Arquitetura Social e Pinterest como Alvo
Além do Twitter, o Pinterest também foi vítima do ataque. Há algumas semanas, o TechCrunch publicou um artigo sobre ameaças sociais, já que uma das contas de sua co-editora foi comprometida e usada para divulgar fotos sobre sua perda de peso. Com base em pesquisa realizada pela Symantec foi possível identificar que as descrições das imagens e dos sites comprometidos, que atuam como direcionadores do golpe, são iguais aos usados na campanha maliciosa direcionada por meio do Twitter. Por isso, acredita-se que ambas estejam conectadas aos mesmos criminosos virtuais. Para que os internautas não sejam vítimas de crimes virtuais por meio das redes sociais, a Symantec oferece as seguintes dicas de comportamento online seguro:
Para usuários comuns:
Para donos dos sites:
Para mais informações acesse este blog post ou entre em contato com a agência de comunicação da Symantec para agendar uma entrevista com algum porta-voz da companhia.
先週、Twitter アカウントが大量に侵入を受け、「miracle diet(奇跡のダイエット)」スパムを拡散するスパマーに悪用されました。侵入されたのは、有名人のアカウントだけではなく、一般の Twitter ユーザーのアカウントも被害に遭っています。
図 1. Twitter の「奇跡のダイエット」スパム
見覚えのある攻撃
ダイエットスパムは珍しいものではなく、さまざまなソーシャルネットワークサイトに登場しており、Twitter も例外ではありません。シマンテックは何年にもわたって、最近のダイエット熱に乗じようと多種多様な活動が繰り返されていることを確認しています。今回のケースでは、スパマーは Women’s Health の Web サイトに酷似したデザインのページで、ガルシニアの抽出物を売り込もうとしています。
図 2. この攻撃のスパマーが使っている偽の宣伝ページ
侵入を受けた著名なアカウント
今回のスパム攻撃では、スポーツ選手、政治家、テレビプロデューサー、ブロガー、コメディアンといった有名人のアカウントが侵入を受け、何十万というフォロワーに向けて爆発的な勢いで拡散に利用されました。
図 3. 侵入を受けた 2 人の有名人のアカウント
ツイートの多くには、「I couldn’t believe it when I lost 6 lbs(信じられない、3 キロも痩せるなんて!)」、「I was skeptical, but I really lost weight!(半信半疑でしたが、本当に痩せられました!)」などというメッセージが記され、Bitly.com を使った短縮 URL が続いています。
有名人、著名人が商品の推薦役として利用されるのはよくあることです。今回侵入を受けたアカウントのなかには、世界最高の筋肉美モデルと言われるジェイミー・イーソン(Jamie Eason)さんも含まれていました。ジェイミーさんのようなアカウントに侵入したスパマーは、ユーザーをそそのかしてリンクをクリックさせ、スパムを拡散させたうえで、あわよくばダイエット商品を購入させようとしています。
被害を受けた有名人の中には、単にスパムツイートを削除した人もいれば、アカウントが侵入を受けたことを率直に認めている人もいます。
Well, I *did* lose some weight recently. (No idea where that came from.)
— Jason Kottke (@jkottke) 2014 年 4 月 1 日
Thank you for tweeting about your recent weight loss strange hacker but please stop. Sorry for those tweets, I got hacked!
— Sebastian Vollmer (@SebVollmer) 2014 年 4 月 1 日
Looks like I got hacked. Sorry about that folks. I was not truly amazed by that diet link.
— JJ Redick (@JJRedick) 2014 年 3 月 31 日
侵入を受けた Web サイト
今回のスパム攻撃が過去のスパムに比べて際立っているのは、大量の Web サイトにも侵入を果たしており、それが「奇跡のダイエット」宣伝ページへのリダイレクトに使われていることです。
図 4. 侵入を受けた Web サイト。サポート対象外の Joomla が稼働している
侵入を受けていることをシマンテックが確認した Web サイトでは、コンテンツ管理システム Joomla の古いバージョンが稼働しています。具体的にはバージョン 1.5 で、これは 2012 年 9 月に、開発者によるサポートが終了しています。
図 5. スパムのリンクから、脆弱な Joomla の拡張機能が明らかに
このスパマーは、Joomla 用の jNews 拡張コンポーネントに存在する脆弱性も標的にしている節があります。シマンテックは、多くのサイト管理者に接触して、侵入を受けていることを通知しました。
Pinterest スパムとの関連
3 月の末には TechCrunch が Pinterest 上のスパムに関する記事を公開しました。TechCrunch 共同編集人のひとりがアカウントに侵入を受け、ダイエットの写真をピンするために使われたのです。シマンテックの調査によると、リダイレクトとして機能している画像の説明と感染サイトは、今回の Twitter に対する攻撃で使われていたものと似ているため、この 2 つの攻撃は、同じスパマーによるものと思われます。
図 6. TechCrunch 共同編集人が侵入を受けた Pinterest アカウント
結論
ダイエットスパムは今やおなじみになり、ソーシャルネットワークはスパマーが無防備なユーザーから金銭を巻き上げる格好の場となっています。今回のスパマーが一連の Twitter アカウントに侵入した手口はまだ判明していませんが、このページの手順に従って自身のアカウントを保護することをお勧めします。Web サイトを運営している場合には、コンテンツ管理システムを最新バージョンに移行することを検討してください。また、セキュリティパッチをすべて適用して拡張機能を更新し、Web サーバーでディレクトリのアクセス許可も再確認してください。
シマンテックは、今回の攻撃の監視を続けており、Twitter 社にも Bitly 社にもサポートを依頼したところです。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Earlier this week, a large number of Twitter accounts were compromised and used by spammers to spread “miracle diet” spam. The compromised accounts included public figures, as well as average users of the social networking service.
Figure 1. Twitter miracle diet spam
Déjà vu
Diet spam is quite common and can been found on various social networking sites and Twitter is no stranger to this problem. Over the years, we’ve seen many different campaigns try to capitalize on the latest miracle diet craze. In this particular case, spammers are trying to peddle garcinia cambogia extract through a page designed to look identical to the real Women’s Health website.
Figure 2. Fake promotional page used by spammers in this campaign
Notable accounts compromised
In the latest spam campaign, accounts belonging to athletes, politicians, television producers, bloggers, comedians and other public figures were compromised, which helped extend the spammers reach exponentially to hundreds of thousands of followers.
Figure 3. Compromised accounts of two public figures
Many of the tweets contained messages saying “I couldn’t believe it when I lost 6 lbs!” and “I was skeptical, but I really lost weight!” followed by a URL shortened using Bitly.com.
Celebrities and public figures are often sought after to help endorse products. One of the compromised accounts included Jamie Eason, known simply as the World’s Fittest Model. By compromising accounts like Jamie’s, spammers increase their odds of convincing someone to click on their links and perhaps even purchase the diet product.
While some of these notable figures simply removed the spam tweets, others were transparent enough to admit that their accounts were compromised:
Well, I *did* lose some weight recently. (No idea where that came from.)
— Jason Kottke (@jkottke) April 1, 2014
Thank you for tweeting about your recent weight loss strange hacker but please stop. Sorry for those tweets, I got hacked!
— Sebastian Vollmer (@SebVollmer) April 1, 2014
Looks like I got hacked. Sorry about that folks. I was not truly amazed by that diet link.
— JJ Redick (@JJRedick) March 31, 2014
Compromised websites
What makes this particular spam campaign stand out from others we’ve seen in the past is that the spammers have compromised a large number of websites that are being used to redirect people to their miracle diet promotional pages.
Figure 4. Compromised website running an unsupported version of Joomla
The compromised websites we found are running older versions of the content management system Joomla, specifically version 1.5, which stopped receiving support from the developers back in September 2012.
Figure 5. Spam link reveals vulnerable Joomla extension
It would also appear that the spammers have targeted a vulnerability within the jNews Joomla extension. We have reached out to a number of the sites to inform them that they have been compromised.
Connection to Pinterest spam
Last week, TechCrunch published an article about spam on Pinterest. One of their co-editor’s accounts was compromised and used to pin weight loss photos. Based on our research, the image descriptions and compromised sites acting as redirects are like the ones used in the Twitter campaign, so we believe that both campaigns are connected to the same spammers.
Figure 6. TechCrunch co-editor’s compromised Pinterest account
Conclusion
Diet spam is here to stay and social networks remain the perfect place for spammers to try to make money off of unsuspecting users. While it is still unclear how the spammers compromised these Twitter accounts, Symantec Security Response advises users to follow these steps to secure their accounts. For website owners, consider using the most recent version of your content management system, apply all security patches, update your extensions, and review the directory permissions on your Web servers.
We are continuing to monitor this campaign and have reached out to both Twitter and Bitly to provide assistance.