July 25, 2014

TSG IntelBrief: Tragedy, Cyber Criminals, and #MH17

• The Twitter hashtag #MH17 has been tweeted or retweeted more than 3.3 million times in the last eight days; within hours of the tragedy, cyber criminals joined the Twitter campaign

• Criminals are inserting malicious code into links at the end of tweets mentioning #MH17; most of these links use a .tk extension, which should be avoided

• Twitter is well-suited for the spread of malware due to its use on mobile devices that make it hard to see a full link extension before clicking on it

• As journalists and others increasingly find information via Twitter rather than reporting it via Twitter, the risk of computer viruses will increase as well

• Criminals are also setting up fake Facebook pages for MH17 victims with the goal of spreading malware and soliciting donations from sympathetic viewers.

While the likely surface-to-air missile that brought down Malaysia Air Flight 17 traveled at more than three times the speed of sound, criminals moved at cyber speed to exploit the intense global interest in the tragedy.

Following the downing of Malaysian Airlines Flight 17 (MH17), cyber criminals were quick to take advantage of the hashtag #MH17, used to consolidate discussion of the ongoing disaster on Twitter. Criminals entered the stream of conversation armed with links embedded with malicious code or malware. Readers looking for more information on news topics like MH17 are likely to click on links on Twitter and Facebook for two compelling reasons:

Social media encourages sharing and fosters a sense of familiarity even with strangers, lowering our guard and making us far more likely to open a link as we get caught up in the torrent of updates.

Twitter and Facebook are both incredibly popular on mobile devices that encourage a quick-click mentality without the hover feature that allows you to see the full URL before doing so.

Within hours of the downing of MH17, cyber criminals had set up several Indonesian-language Twitter feeds incorporating the newly created #MH17. The tweets and retweets from these accounts included URLs that ended with .tk, a domain extension notorious for social media scams and outright malware. When readers clicked on the link to get more information about the fast breaking event, their computers or smartphones connected with one of two IP (internet protocol) addresses that contained ZeuS/ZBOT and PE_SALITY malware. These viruses can steal .SCE and .EXE files from infected devices, a serious security violation.

Since MH17 was brought down over eastern Ukraine, #MH17 has been tweeted or retweeted 3.3 million times and counting, and it's nearly impossible for the average user to know what links are suspect, especially when they are shortened using the Bitly URL shortening tool. A good rule of thumb is to ignore any link that ends in the .tk extension (.tk denotes the country code top-level domain of the tiny island nation of Tokelau in the Pacific Ocean). Not all .tk extensions are bad, of course, but enough are to warrant extra caution.

#MH17 mentions on Twitter (July 17-July 22, 2014)

MH17 is only the latest tragedy to be exploited by cyber criminals. The hashtag #MH370, for the still-missing Malaysia Airlines flight, was also a tempting target for criminals, who used the same embedded link tactic. For an example of the scale we are talking about, #MH370 was tweeted and retweeted over 4 million times in the first weeks of the search, and is still being used heavily up to now. The rush for information leaves journalists and regular users alike at high risk not only for misinformation but for actual computer infection—another reason to pause before clicking on links not associated with well-respected news outlets, which is a shame since much of the power of Twitter and Facebook is their ability to bypass traditional channels of information.

Any breaking news now generates its own hashtag, making it possible for users to follow the issue across the world. It also generates a target-rich environment for scammers and criminals who don't need to devise clever ways to get us to click; they just use the hashtag. And it's not just tragic aviation event hashtags drawing extraordinary numbers and interest; #Gaza has been tweeted and retweeted over 6 million times in the last two weeks, and #WorldCup was mentioned over 10 million times this month.

The use of malware in tweets containing popular hashtags will increase but it's not the only way criminals in the cyber world exploit real-world tragedies. As soon as the MH17 passenger manifest was released, scammers set up several Facebook pages “dedicated” to specific victims, including several young children from Australia. Visitors to the sites were blasted with banner ads and click-bait ads. The over-the-top ads mean the scammers are simply trying to boost click rates and increase their ad revenue. However, far worse are the tragedy-related sites or links that either inject malware directly, or direct the visitor to another site teeming with viruses. Anti-virus software is always a necessity but it can’t keep up with the daily evolutions in malware.

As social media evolves from a medium where people repeat existing information to a place where people seek to disseminate information (confirmed or unconfirmed), the risk of infected links will evolve as well, matching the trend lines step by step. It remains to be seen if social media malware safeguards will evolve in equal measure, ensuring that the power of social media is not weakened by its open and sharing nature.


For tailored research and analysis, please contact:

Screen Shot 2013-10-21 at 9.32.42 AM