Does Twitter's malware link filter really work?

Summary:Today, researchers from F-Secure stumbled upon a long-anticipated feature in Twitter's fight against malicious abuse of its service - a malware URL filter preventing automatically registered or compromised legitimate accounts from tweeting known malicious links.Whenever a Twitter user is attempting to post a link to a known malware/phishing URL, a "Oops!

Today, researchers from F-Secure stumbled upon a long-anticipated feature in Twitter's fight against malicious abuse of its service - a malware URL filter preventing automatically registered or compromised legitimate accounts from tweeting known malicious links.

Whenever a Twitter user is attempting to post a link to a known malware/phishing URL, a "Oops! Your tweet contained a URL to a known malware site!" message will appear, and prevent this from happening.

Does the feature really work? A five minute test showed disappointing results, making it obvious that it's still in experimental mode.

The MySpace phishing page used in the initial test www.rnyspece (dot)com indeed triggered the filter, however, tweeting it without the www or even worse with http://did not trigger the filter as you can see in the attached screenshot. The malware link filter also doesn't appear to be relying on Stopbadware's database of known malicious sites, since I was successfully able to tweet several sites listed as badware without a problem.

A malware alert was only triggered upon using the bit.ly's URL shortening service, and no alert was triggered by using TinyURL due to the fact that TinyURL doesn't check whether submitted URLs are already marked as unsafe by third-party databases, such as Stopbadware.org for instance.

Despite that Twitter's own malware filter is clearly still in development, it's an indication that Twitter is finally moving from reactive (blocking Twitter users tweeting malware links once the campaign starts) to proactive (preventing the campaign from ever happening that is only if the cybercriminals are using known malware domains) security practices. The integration of Stopbadware and related databases of known malware domains would not prevent the abuse of Twitter in the long term - cybercriminals in fact maintain blacklisting notifications for their sites. However, not taking advantage of the 381,815 already marked as unsafe sites is clearly a missed opportunity.

"Wait and see" is no longer an option. Case in point is Koobface worm's recent Twitter campaign, with the gang behind it understanding the true potential of trust relationships in a social networking environment. The campaign was briefly interrupted due to a coordinated takedown of key Koobface command and control servers, prompting them to reconsider their tactics.

It's only a matter of time until they launch another campaign. The question is - can Twitter handle it?

Topics: Social Enterprise, Malware, Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.