
Twitter spam wave - mntmn
https://twitter.com/search?q=seriously%20the%20best%20thing%20I%20have%20ever%20tried&src=typd&f=realtime
======
mntmn
My own timeline was compromised, so I started looking into this. A fake tweet
was posted on my behalf with "Twitter for iPhone" as the source. I don't have
an iPhone since quite some time, but I used to have the app back in the day
and never revoked access until now.

~~~
mntmn
Update: Automatically got an email from twitter saying:

> Twitter believes that your account may have been compromised by a website or
> service not associated with Twitter. We've reset your password to prevent
> others from accessing your account.

The spam tweet posted on my behalf was automatically deleted.

(Edit: For reference, the spammy link pointed to a domain called apaloreto dot
info, but led to a 404 in my case)

~~~
icpmacdo
So has it been identified what you hit to cause a highjack of your account?

------
lawl
Luckily my timeline was not affected.

However, I wonder, shouldn't Twitter be able to pick these messages up
automatically fairly fast, after (I assume) hundreds if not thousands of users
have flagged them?

Also, the spammers can't have unlimited IP's. Twitters anti spam kinda seems
to lag back behind E-Mail (subjectively).

Is there a reason the same techniques used in E-Mail aren't applicable to
Twitter?

~~~
mkjones
So I can't speak for twitter, but I work on anti-spam at Facebook, and imagine
the problems we face are relatively similar. It's worth noting that there's a
constant barrage of people trying to send varying degrees of spam. It's not
like there's An Attack all of a Sudden - just occasionally people close to the
HN social network happen to be targeted by something and it's magnified by the
media / hive mind local to us.

> shouldn't Twitter be able to pick these messages up automatically fairly
> fast

Theoretically, sure. As a human looking at an attack, it's usually pretty easy
to pick out "obvious" attributes that they should have been able to catch. But
when you're operating at a scale like us or Twitter, even stuff that looks
like it's obviously-indicative-of-badness often has false-positives (posts
flagged as spam that are not). The long tail of weird stuff that a billion
users do can be pretty crazy.

At the same time, the "obvious" attributes of an attack are often very cheap
for an attacker to change. Instead, we try to go after more expensive
resources (domains, source IPs, etc).

> after (I assume) hundreds if not thousands of users have flagged them

Sadly, looking at flags of content is not a silver bullet. The signal is very
sparse (a given spam post is rarely flagged), and nonspam posts are frequently
flagged (religious and political speech are great examples - and they are the
worst kind of false positive if you delete them as spam). These problems can
be somewhat mitigated if you aggregate flags over a dimension that's expensive
for the attacker (domain-posted, IP that posted the content, text shingles),
but even then the recall isn't necessarily great and you could still catch
e.g. controversial political domains.

> the spammers can't have unlimited IPs

True, though you can rent space on a botnet that has many, geographically-
diverse, real-user IPs. Also, I imagine a significant chunk of posts to
Twitter come from apps, many of which each use a single IP to post tons of
content.

> Is there a reason the same techniques used in E-Mail aren't applicable to
> Twitter?

There's definitely some overlap. I'm not an expert at email anti-spam, but in
general it's a relatively different problem. "Traditional" email spam is sent
from some random email address on / via a compromised machine or open relay,
and seems to be a relatively-well-solved. But it sounds like this twitter
attack was caused by compromised accounts. At least anecdotally, it seems that
email vendors are also not great at detecting this kind of attack. For
example, my gmail account (with arguably the best spam protection in the
industry?) gets a message every few weeks from some compromised friend's
account. (i.e. someone had their email password stolen and the attacker is
using it to "legitimately" send mail after authenticating to that email
service with the correct password).

~~~
lugg
Could you not identify higher than normal viral scores and run some automatic
checks on the links content to look for dodgy behavior (ie executing like /
share links?) That would still end up with you being in a cat and mouse game
of obscuring dodgyness but its a start.

Have you guys looked into sharing likelihoods of affected users? In other
words I rarely share stuff I click on. If a higher than normal number of high
view - low sharers like myself are sharing its either extremely popular or its
spam. (Worth flagging for a manual check)

~~~
mkjones
Yep, "URLs shared primarily by not-sharey people" sounds similar to a lot of
classifiers we have.

~~~
lugg
Your job sounds pretty fun I must say.

------
enthdegree
Funny how now the search is full of tweets referencing the "Twitter Spam Wave"

------
eponeponepon
I am not a Twitter user. Can anyone explain what I'm looking at here? The
outcome of malicious Javascript?

~~~
mntmn
My spam tweet had "Twitter for iPhone" API access as the source, and I wasn't
using an iOS device at the time it was posted. It's unclear what actually
happened.

~~~
thefreeman
you don't need to be using an iOS device for someone to use your devices
authentication token to access your account. Sounds like perhaps a a
vulnerability leaking oauth tokens in the iOS client?

~~~
s1kx
I would assume it's just sent through the API with the iOS App's app
credentials (they are open and out there). That specific set of app
credentials allows the OAuth endpoint for email + password sign in through the
API. Maybe some other database got hacked and the user credentials were used
on twitter.

------
mahouse
The bit.ly link is marked as spam and shows a warning, and then the shortened
link doesn't load at all. The spammer failed :P

~~~
themoonbus
I additionally went through a twitter warning before I got to the bit.ly
warning

------
jhdkjqhkjqhwk
I don't twitter but whenever I'm shown tweet I'm astounded at the amount of
redirection involved in linking.

------
rplnt
This link to search over dynamic content is as pointless as those "service x
is down" linking to service x.

------
Houshalter
"Seriously the best thing I have ever tried" \- what on Earth would be the
purpose of spamming that?

~~~
aalpbalkan
Proof of concept? The attacker might use something else in the future.

------
Kiro
I don't see anything special. Have the tweets been removed? What was it?

