By: C. Shawn Eib and Eric Ellason

Every online platform has at one time or another dealt with their systems being misused by cyber criminals, either for hacking accounts, sending out spam, or infecting other users. The Twitter platform is no different and is also not immune to these problems. Less well known than Facebook apps, Twitter apps have been around almost since its inception. The first version of its Application Programming Interface, or API, was released in September, 2006; the Twitter API has since become something of a standard for REST API implementations. Twitter has made numerous changes and enhancements to its API since that first release, including the switch to using OAuth authentication for app permissions and password-less website logins; but one problem that has plagued the platform for years is still present: malicious apps.

In August 2011 Huffington Post published on article on malicious Twitter apps designed to spread spam through unauthorized posts. Malicious Twitter apps are by no means a new phenomenon and have been going on for years. A recent wave of apparent unauthorized Twitter postings caught our attention and prompted us to look further into whether these postings were from one or more malicious apps. The first one we identified was called Confirm Your Age. An example of a tweet from this app, dated November 18th, 2017, can be found here: https://twitter.com/isagirl_v/status/931709610301542400. Here is a screenshot.

A few things to point out: while the text appears to be in English, there’s a prompt to translate it from Vietnamese. Also, the link uses the account’s Twitter user name as a subdomain. This pattern was true for all of these posts, as also shown here in a more recent tweet from May 21st, 2018:

Isabella, the owner of the account @isagirl_v in the first screenshot, was kind enough to speak to us regarding her experience. Isabella is a FreeBSD system administrator, and is quite knowledgeable regarding online security. When asked, she did not recall experiencing the standard OAuth approval screen apps are supposed to display in order to get permission to use your account, nor a password login screen, though given the 6 month delay between her post and our discussion, could not be 100% sure of it. She was immediately wary of the app, and once it had posted the link shown above, she both tweeted about it to @twittersupport, and reported it through the contact link provided on a Twitter page regarding revoking app permissions. We found similar complaints in late 2017.

Fellow security researcher and collaborator, Eric Ellason of SlickRockWeb, identified six Twitter accounts in late May of 2018 that all had unauthorized Twitter postings using links similar to what we describe above. The affected person’s twitter handle was used as the subdomain in the spam link. What he found was that all six of these accounts (including @AJagdamba) had an identical odd Twitter client show up in the client list of the account when analyzed using the python script tweets_analyzer.py by security researcher @x0rz. The client name was Confirm Your Age shown below, identical to what was described by @isagirl_v back in late 2017.

Most of the initial spam links we discovered in late May 2018 used the following structure:

[users-twitter-handle].adnew[x].ga where x represented a single numeric value.

Our investigation would go on to identify additional domains involved such as adnew*.ga, newlife*.ga, mytube*.ga, twitter-tube(.)ga, satube(.)ga, and others (the * in these domains represents a number).  Generally there would be 5 sites for any given naming convention, mylife1(.)ga, adnew4(.)ga, etc). These all pulled their content from the domain ad4adult(.)com, registered through GoDaddy on Christmas eve, December 24th, 2017, allegedly to someone in Portland, Oregon with an Egyptian phone number. Primarily using DigitalOcean for hosting ad4adult(.)com, they also at times would use smaller providers, such as a company called StackPath, LLC based in Dallas TX, though this is only shown in historical hosting data. Many of the .ga domains (which do not offer Whois data) were hosted through Amazon Web Services. Some of the adnew domains used Cloudflare and were registered through Freenom.

Looking closer at ad4adult(.)com, an interesting file was public facing, ad4adult(.)com/localhost.sql. This SQL database file, which had last been updated in late January, contained the API keys for 65 different Twitter apps, a list of 21,482 users called “auto users” with fields separating them into “tweet’ accounts and “slave” accounts, and a list of 43,588 accounts in a section named buckets, with far less data on each account, the most interesting field labeling them as “alive” or not. Between the use of the “buckets” terminology, and an unpopulated list titled amazon, it appears the actor was utilizing Amazon Web Services for this spam campaign, which fits with what was found regarding the .ga domains. The @isabella_v account was found within this database, strengthening the connection between the Confirm Your Age app and the database in question.

Reports were made to Twitter regarding this, including this thread by Eric Ellason from May 21st, 2018 https://twitter.com/slickrockweb/status/998597902967754753. By this time, the spam links were no longer active and we were unsuccessful in intentionally infecting an account to see the process in action. Between the reports to Twitter, and the fact that the links had gone dead, we thought this would be the end of it. It was not.

As we investigated further, we continued to find accounts or see reports of accounts experiencing the same issue, either having tweets with links posted to their account without authorization, or retweets from other accounts. The domains they linked to did not use the .ga top level domain, but some of the naming conventions were similar. However, a few key differences soon became apparent, making attribution of these other spam apps to the creators of Confirm Your Age impossible at this point. There has been no sign of the use of the accounts user name as a subdomain in the links being sent out recently by these new apps. The content being posted is tamer, more akin to the ice skating link shown in the second Confirm Your Age example. The operators also appear to have gotten more sophisticated in their attempts to hide their activities. For instance, one site currently in use is buzzme(.)fun. Searching Twitter for this domain, often reveals no results. Search again 10 minutes later, and 25-50 accounts have all posted links to content using this domain. Approximately 45 minutes to an hour later, all the tweets are deleted. The accounts where this behavior was observed were all based in Europe, and this was being observed at approximately 11pm Central Standard Time in the United States, so most of these users would have been asleep when these were posted. When they woke up, all signs of the tweets had been deleted. Also, only accounts with at least 3 or more hours of inactivity appear to have been used (one exception to this, an account in California who was active during this period, was observed; they have not responded to our request to speak with them and as such cannot provide any further insight into why their account was an aberration).

This newer batch is centered around the domain trendii(.)net, hosted at the IP address 162.241.233.51. This IP is provided by Unified Layer out of Provo, Utah. The Whois information for this IP shows it registered to “trendii.net” as the organization, with an email address of kimak@live.com. They also previously used the IP 192.163.215.81, which is another Unified Layer IP. The email address and IP are affiliated with at least the following domains:
tweets.one, appstico.com, tweets.best, smile.fans, promotions.news, clapco.net, advertisement.today, promos.media, trendii.net, videoads.today, ozzii.net, trending-tweets.com, ooo.fans, sponsored.today, hooman.buzz, ads-twitter.co, buzzme.fun, trendico.net, beunique.mk, hooman.lol, sponsored-tweets.today, buzzit.fun, adverts.video, brightii.com, flirtico.com, bibico.net, clapco.co, trending-twitter.video, trending-now.live, facebook-trending.com, promoted-video.com, twitter-trending.video

This is not necessarily a complete list of their domains; others may currently exist or be created in the future. The manner in which they display their posts is interesting: if you’re using a browser or have show previews enabled, you’ll see what appears to be a link to a video with a number of views on top of it, along with a link to one of the above domains. In reality the picture is being pulled from hooman(.)lol, and the link is actually the following simple PHP file, as retrieved using wget (from the URL: buzzme(.)fun/bb.php):

Note the name of this PHP file changes often and appears to fall under this naming convention, where x represents one or two letters.  buzzme(.)fun/[x]{1,2}.php

Using a basic meta refresh redirect, the user ends up at the site peoplebuzz(.)press. Because this is a PHP file there may be other hidden server-side executable code embedded in these PHP redirect files with unknown directives. Once redirected to peoplebuzz(.)press the details.php page aggregates multiple YouTube videos, along with displaying ads. If you are logged into Twitter, you’ll be able to see the video, and are given an option to tweet it to your followers as shown below:

If you are not logged in, the following screen prompting you to login will be displayed:

If you’re not logged in and click the “Login With Twitter” option, this screen is presented:

It is at this stage where the user is apparently asked to allow a malicious Twitter app access to their account. The OAuth screen presented above is asking for permission to read the timeline as well as post to it, update the profile, and see who the account is following and who follows them. It appears as though you are authorizing an official app directly from Twitter, named Twitter Video. The problem is that no such legitimate app exists. It is also possible that this same process occurs for other fake apps like Twitter for Mobile or Confirm Your Age.

Apps masquerading as Twitter Video have been circulating since at least December, 2017 per this article from The Verge. There is strong evidence that this is the same group, as there is an account @hooman_lol shown below (same as the domain in the URL in the PHP code above), which tweeted a link on June 27th, 2018 to the same video referenced by the Verge article with the link address going to buzzit(.)fun.

The only difference between the authorization presented above and the one reported in December is that access to direct messages has been removed. Once this fraudulent app is installed, it’ll begin to post from the compromised account, and with the behavior of posting while the user is inactive and then deleting the post sometimes less than an hour later. Many users may not even notice that this is occcuring.

An interesting element of this particular compromise is that there is indication that they may use different clients to post depending on the domain. Here is an analysis of one compromised account:

Other analyzed accounts tweeting links to buzzme(.)fun also showed a tweet from the source client ”  Twitter For      Mobile“. Looking at the analyzed accounts that were tweeting links to buzzit(.)fun show ”  Twitter For         Mobile“. At first glance, these appear to be the same application; however, Twitter does not allow multiple apps to have the same name. So they’ve added spaces to the buzzit accounts in order to make it a nominally different app. The space in front of both names is likely there for the same reason. This is highlighted again in the Twitter timeline below with the client analysis of this same account below that.

One account tweeting links to buzzme(.)fun had a source client of TwiAgeCom among others, which did not show up in analysis of other accounts. This could be related to the Confirm Your Age app and any of its 64 API siblings or related to the Trendii apps and domains, or even a third unknown party. One thing to note in the screenshots above of peoplebuzz(.)press, it asks you to login and authorize the app because “Twitter is requesting Login in order to protect users from nude/inappropriate content”. This is similar to the behavior of Confirm Your Age, although this does not conclusively link the two campaigns.

If you notice in the languages detected section, there are 32 tweets whose languages could not be detected. This is a common technique used in order to hide this type of activity, and can also be seen in the Confirm Your Age example from Isabella posted above. The tweet appears to be in English, yet Twitter is offering to translate it from Vietnamese. This occurs through the use of Unicode character sets. What is displayed as an English sentence in Latin characters are completely different when using the Vietnamese character set, and Twitter is detecting this accordingly. Many times the language will be left undefined entirely. This has the advantage of making it harder to search for a post. When Unicode is included, unless you copy and paste your search from the original tweet, no results will be returned. Here are some articles and forum threads discussing the technique (ref1, ref2, ref3). It should also be noted that we believe the Confirm Your Age app is using Unicode in its client naming convention. Again possibly helping to mask or hide it from routine internal searches from Twitter.

So who is running these domains and apps? The biggest clue we have here is the email address, kimak@live.com. This email address appears to belong to a Kirce Ilov from Macedonia. According to this list of domains, he has been at this since at least 2015. Many of the domains in that list are long since defunct and no longer in use, but many overlapped with our results found in Maltego. None of them appear to be related to the domains used by Confirm Your Age, nor have any users known to be impacted by the Trendii apps appeared in the admittedly outdated database from the Confirm Your Age operation. There is no obvious overlap in the infrastructure used between Confirm Your Age and the Trendii domains; they use different IP’s, hosting providers, domain registrars, and the email address kimak@live.com does not appear to be connected to any of the domains associated with Confirm Your Age. The only appearances of a connection is in the methods used, the time frame they were known to be operating, and that both requested an app authorization for the stated purpose of censoring age-inappropriate material. At this point a connection between the two cannot be confirmed, nor completely ruled out.

As for the motivations for the campaign, despite its sophistication there is no obvious motive beyond financial gain from the ads present on the websites. Although the financial gain to effort ratio seems pretty low. The Macedonian connection to Trendii is interesting, given the number of Macedonian sites used to push misinformation during the 2016 election and continuing today; however, there does not appear to be a political purpose in any of the domains we have looked at, or to the users impacted. Until further evidence suggests otherwise, this appears to be a well crafted referral spam campaign. What it does show is the ability to abuse the Twitter API for malicious purposes, that despite these issues existing since at least 2011, Twitter has not taken the necessary steps to end this type of abuse including shutting down malicious apps reported to it, and the lengths cyber criminals will go to in order to cover up their activities.

A special thanks to Geoff Goldberg (@geoffgolberg), Michael Spohn (@MichaelWSpohn) and Isabella (@isagirl_v) who all provided valuable details in the initial research.

Eric Company News, Cybersecurity, Digital Investigations, Website Security