Halkyn Security Blog
Specialist Security & Risk Management Consultants

Twitter – Possible social engineering attack

Twitter - email headers

Twitter – email headers

This evening I managed to end up getting my personal twitter account hijacked and malicious users were able to send out direct messages before I got at least some element of control back.

First off, I want to apologise to anyone who got a strange DM from me, telling them to click on a suspicious looking link. I’ve tried to delete them all now and I hope no one clicked on any links.

Although, I cant fully confirm this yet, the attack appears to have been the result of following a link to reset my twitter password. The email came from a very legitimate looking email account and the headers (see image) appear to be from twitter. However, when I did follow the link, and reset my password, I was immediately booted into a sort of limbo where I could neither log in or out of my account. Eventually I got control back by opening a new browser session and forcing yet another password reset. In the three minutes while I couldn’t get access, several direct messages were sent out to people trying to get them to click on a suspicious looking link.

Twitter password reset email – background

At 2313 (all times UK BST) an email landed in my inbox saying it was from twitter and reporting that they had reset my password:

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

Now, at this point, I hadn’t used my twitter account since 14 October and I certainly hadn’t added any new services or visited any websites trying which needed a twitter login. This meant I was a bit suspicious about the email so I checked the headers. Everything here checked out – and it still does which is why I am a bit dubious about this being the attack vector – so, at 2320hrs I clicked on the link.

From here, I was taken to a legitimate looking twitter password reset page. I created a new password and things went a bit strange. When I put the new password in, I was redirected to a log in page again, which seemed a bit more unusual but I had no warnings about HTTPS errors or the like, so I tried to log in with the new password.

When I clicked to submit the password, I was immediately bounced back to the login page and this happened a couple of times. After the fourth attempt, I tried to click on the forgotten password link, but I just got a message saying I needed to log out again first – with no mechanism to log out.

At this point I realised something was up and that my twitter account was probably genuinely compromised now. Yes, I can be a bit slow on the update.

Twitter account recovery

When the penny finally dropped I started trying to recover my account. First I went to a new browser session, which was clear of any twitter cookies or saved data and requested a password reset. I got the password reset email at 2329, leaving a gap of 9 minutes between when I thought I had reset my password and when I got control of it again.

Twitter - Legitimate message headers

Twitter – Legitimate message headers

Being a bit paranoid now, I double checked the reset details but with some extra confidence as I had genuinely requested it this time. A copy of the message source is shown in the image here.

Worryingly it was pretty much identical to the previous one. As I didn’t have much to lose, I clicked on the link and reset my password.

This time, it went very differently and I was given proper access as you would expect. Once I had got in (2330hrs), I checked my direct messages and it seems that between 2320 and 2329hrs, my account had been sending out direct messages to my followers asking them to click on a link. Fortunately not that many had been sent (about 3 a minute) which may have been an attempt to avoid detection.

Analysis

Without access to twitter’s logs or the like, I cant ever really be sure what happened, but there are clues available.

First off – the malicious direct messages were only sent in the period of time between my click on the first email and the password reset request. This means that the first email has to be treated with some increased suspicion, for the following reasons:

  1. It was unsolicited.
  2. It was unspecific.
  3. It mentioned my twitter user name but not my “name” (which the later, legitimate email did)
  4. It created the sense of panic about my account being compromised.

Despite this, the email has been digitally signed using twitter’s RSA key and the URL it referenced looks to all intent and purposes to be a legitimate twitter link for password resets.

The only difference I can find between the original message and the second (presumed legitimate) one is in the tracking string attached to it. On the first email, the link has the following appended to it:

?utm_campaign=twitter20080313004041&utm_medium= email&utm_source=resetpwnotice

On the second one, the tracking link reads:

?utm_campaign= resetpw20100823&utm_content=action&utm_medium= email&utm_source=resetpw

However, it is hard to see how this can be converted into an attack vector, so it is probably nothing more than an artefact in the way twitter tracking works.

If the email hadn’t been compromised in some way, the next alternative is that some form of attack is being mounted when the password is being reset. During this time, as far as my browser was showing, I was connected over HTTPS and no alerts were shown.

Unfortunately it is unlikely I will ever get to the bottom of this, and it may have been a problem with a connected service or even a website and all the emails were legitimate – it was just a timing error that meant the attack took place in the gap.

If you have ever been in this situation, I would love to hear about it. Hopefully it can add some more knowledge and help solve the puzzle.

The main lesson here is to be on guard for any suspicious activity with social networking accounts. Even if you get a legitimate email, take time to double check what is happening and if things go wrong, act quickly to regain control.

Similar posts
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]

1 Comment

  1. Sam E Sam E
    20 October 2013    

    This sounds very much like the way Skype behaves on my laptop, running Windows . Almost every time I sign out or in, it requires me to put in my microsoft user name and password, promising to “Save” them. It has “Cancel” button but that doesn’t do anything except show the same screen. So there is no way out of skype except by handing overmy user name and password.
    (They are never saved in any way that I can detect in practice)
    Given the banal nature of my skype conversations, it seems unlikely that any criminal would get any advantage from masquerading as me on Skype, so I haven’t really bothered with sorting out. Nevertheless I find it disturbing…..

Recent Tweets Recent Tweets