Trick or Tweet? Malware Abundant in Twitter URLs: Via Threat Level.

As many as one in every 500 web addresses posted on Twitter lead to sites hosting malware, according to researchers at Kaspersky Labs who have deployed a tool that examines URLs circulating in tweets.

The spread of malware is aided by the popular use of shortened URLs on Twitter, which generally hide the real website address from users before they click on a link, preventing them from self-filtering links that appear to be dodgy.

Kaspersky, an anti-virus and computer security firm based in Moscow, created a tool called Krab Krawler, which extracts URLs from millions of Tweets a day. The tools expands shortened URLs to examine words in the web address for those matching known malware sites. For unknown sites, Kaspersky visits the webpage to determine if it’s hosting malicious code that could infect visitors.

About 26 percent of Twitter messages contain a URL, according to Costin Raiu, chief security expert at Kaspersky. About half of those appear to be generated by spammers or by people with malicious intent, he said. These URLs get spread quickly in re-tweets.

The Krawler, which was first deployed in August, has scanned about 30 million URLs to date. It extracts URLS from multiple threads in Twitter’s public timeline and currently examines about 500,000 unique URLs a day. It crawls the sites linked to from the URLs, and scans the content with Kaspersky’s high-end heuristic programs to detect malware.

Of the URLs examined, between 100 and 1,000 a day are found to be hosting malware, the company said.

The two most popular URLs that the Krawler found posted to Twitter so far passed through the system in September. Both directed users to online dating sites. One of the sites, getiton.com, is known to have hosted malware in the past, Raiu said.

“The website is blocked by quite a few services out there,” he said. “It’s not blocked by the Google API, which is why it’s still present on Twitter.”

The most popular piece of malware spread by Twitter messages is the Trojan-Clicker.HRML.IFrame.ob, which accounts for about 31 percent of the malware found. (See chart above.)

In August, Twitter began using a filtering system developed by Google (Safe Browsing API) to detect malicious URLs on its own. The system checks URLs against a blacklist, and either blocks malicous links from being posted, or warns Firefox and Chrome users to think before they click. The filter works only on URLs that are shortened using Bit.ly, the default and most popular URL shortener on Twitter — it’s backed by the same people behind the microblogging service — or J.mp, an alternative version of Bit.ly that produces even shorter URLs.

Malicious URLs that are shortened with any of the 200 or so other URL shortening services will not be caught with Twitter’s filter, Raui says, which explains why the majority of malicious URLs currently passing through Twitter are shortened with other services.

The first Twitter malware was found as early as August 2008, long before the service had reached its current peak popularity. This spring, malware began to appear regularly in “trending topics” lists on Twitter — lists of posts discussing the most popular subjects on Twitter.

“A lot of people will just check the trending topics to see what’s hot and . . . just click on the link to see what it’s all about,” Raiu said.

Once Kaspersky detects a malicious URL, it includes the information in its security tools to protect customers. It can taken between two and 12 hours after someone has posted a URL to Twitter for Kaspersky to add the info to its detection tools.

The company plans to expand its Krawler to other social networking sites in the near future.

Graphic image courtesy Kaspersky Lab

Read Original Article:(Via Threat Level.)