Twitter URL Shortening Service Being Utilized in Phishing Campaigns

Introduction

Impersonation of a known brand is a common tactic used in phishing emails. In this type of attack, the attacker poses as a trusted individual or organization in an attempt to gain the victim's trust. Typically, threat actors will use official images and copy the structure of legitimate emails to make the impersonation more convincing. The goal of these emails is to trick the user into clicking a link and sharing credentials.

Frequently URL shortening services are used to make malicious URLs seem more trustworthy and harder to detect. In recent weeks we have noticed a trend of new phishing emails utilizing Twitter’s URL shortening feature as an attempt to bypass URL detection. This is allowing attacker’s to create URLs that are using Twitter’s domain to redirect to malicious websites.

What is t.co?

According to the t.co website, it states:

“Twitter uses the t.co domain as part of a service to protect users from harmful activity, to provide value for the developer ecosystem, and as a quality signal for surfacing relevant, interesting Tweets.” [1]

All URLs shared on Twitter’s will use this shortened version:

“Links shared on Twitter, including links shared in Direct Messages, will automatically be processed and shortened to an t.co link [2].

One of the unique selling points is that Twitter will automatically scan URLs created:

Having a link shortener protects users from malicious sites that engage in spreading malware, phishing attacks, and other harmful activity. A link converted by Twitter’s link service is checked against a list of potentially dangerous sites. Users are warned with the error message below when clicking on potentially harmful URLs [2].

Despite these claims, it appears that some content is slipping through undetected. While no system is 100% accurate, from what we have observed there has been a noticeable increase.

Why is Twitter Being Utilized to Share Malicious Content?

There are a few different reasons why this campaign has seen a sudden uptick and why it is an effective attack vector.

Known Domain by Security Vendors

The root domain “t.co” cannot be marked as malicious by vendors since this would cause a large amount of false positives. Instead, a multi layered approach needs to be used and the effective URL needs to be targeted instead.

Unfortunately, the effective URL is typically a throwaway phishing page, commonly hosted using IPFS (Interplanetary File System) which is a decentralized, peer-to-peer network for storing and sharing files. The decentralised nature of IPFS makes it even more difficult to detect phishing websites hosted on the network.

Similar to our Twitter situation, this is an example of a legitimate service being used for nefarious reasons. Chaining together multiple different services to craft this type of attack makes for a much more complex detection process.

Internal Issues

There have been several highly publicized internal issues and struggles within Twitter recently. The most notable being the global reduction of the workforce, with close to 50% being let go [3]. These reductions in staff, unrelenting media attention, and the switching off of “bloatware microservices” has created a prime opportunity for attackers to exploit an established brand [4]. It is not clear what microservices were switched off, but there were immediate issues caused by this move such as 2FA codes not being sent via SMS [5]. Threat actors are taking advantage of the current internal struggles to exploit a trusted brand.

Ease-of-Use

Threat actors can use URL shorteners to track the success of their campaigns. Many URL shorteners include built-in analytics tools that allow the creator of the link to see how many people have engaged with their content [6]. In this case, it can be used to help gauge how well their campaign is performing and could potentially reveal that they may need to refine their tactics if there is a low number of clicks.

URLs can be created quickly and easily using Twitter which is an advantage to threat actors. In the event a URL is marked as malicious, a new URL can simply be created. Content that is volatile and changes slightly between each iteration, e.g. unique URLs, can be difficult for vendors to detect. Other methods of detection such as “Fuzzy Hashing” would be more effective to use here. You can find out more about that method here: https://www.meshsecurity.io/blog/fuzzyhashing

‘Tis The Season

Delivery notifications and courier phishing emails are very prominent at this time of year. On the lead up to the holiday period, lots of employees will be receiving a high volume of email delivery notifications, increasing the risk of falling victim to a well-crafted phishing email.

Analysis of Phishing Sample

Here is another phishing example we found utilizing the t.co domain:

1. Subject line is “Shipping Notification” + a reference number which is very typical of what would be seen in a real email.

2. Display name is set to “CustomerServ”. While it may seem like that they forget a space between the words and that there is an accidental typo of the word “service”, this is done on purpose to evade keyword detection security vendors may be using.

3. DHL Logo being used to instil trust.

4. Urgency being used to make the recipient complete the verification asap or else they will not be able to receive their package.

5. “Click Here” to hide the URL from the user. Security vendors scanning the URL will see the destination as a t.co domain (assuming the effective URL is not checked).

6. Footer stating that they will get an email confirmation after payment email has been made to further instil trust.

Conclusion

Threat actors are constantly looking for ways to exploit well known brands to share malicious content. When a company such as Twitter is struggling and under pressure from many different factors, it creates a prime opportunity to carry out attacks. As shown above, phishing campaigns are already circulating using the shortened URLs and it is not clear if any internal steps are being taken to address this uptick . For the security community, stopgaps must be put in place while a more permanent solution is implemented within Twitter, but it is unclear how long this may take.

Sources

[1] “T.CO / twitter,” t.co / Twitter. [Online]. Available: https://t.co/ . [Accessed: 20-Dec-2022].

[2] “Twitter link shortener (T.CO) and how it works | twitter help,” Twitter. [Online]. Available: https://help.twitter.com/en/using-twitter/url-shortener . [Accessed: 20-Dec-2022].

[3] Person and K. P. Sheila Dang, “Twitter lays off staff, Musk blames activists for AD revenue drop,” Reuters, 05-Nov-2022. [Online]. Available: https://www.reuters.com/technology/twitter-start-layoffs-friday-morning-internal-email-2022-11-04/ . [Accessed: 20-Dec-2022].

[4] E. Musk, “Part of today will be turning off the ‘microservices’ bloatware. Less than 20% are actually needed for twitter to work!,” Twitter, 14-Nov-2022. [Online]. Available: https://twitter.com/elonmusk/status/1592177471654604800 . [Accessed: 20-Dec-2022].

[5] T. Support, “To clear up confusion about two-factor authentication on twitter –– it's still live and a good way to protect your account. if you have it turned on, your chosen authentication method should be good to go.we're looking into the few cases where SMS codes aren't being delivered.,” Twitter, 15-Nov-2022. [Online]. Available: https://twitter.com/TwitterSupport/status/1592618615521492992?s=20&t=ef8bUoT4WmGqV5dPve0B6Q . [Accessed: 20-Dec-2022].

[6] “Twitter account activity analytics – engagement, impressions and more,” Twitter. [Online]. Available: https://help.twitter.com/en/managing-your-account/using-the-tweet-activity-dashboard . [Accessed: 20-Dec-2022].