Twitter Accounts of US Media Under Attack by Large Campaign

By and on

A previously reported campaign purportedly carried out by Turkish hacker group “Ayyildiz Tim” targeting high-profile, verified Twitter accounts with the purpose of spreading Turkish political propaganda appears to have escalated within the last 24 hours. McAfee Advanced Threat Research has investigated the new events and discovered the following. On January 13, the Twitter account of the Indian ambassador to the United Nations was taken over and spread pro-Pakistan and pro-Turkey postings:

What seemed to be a single event soon became a targeted campaign that we discovered in cooperation with our partner SocialSafeGuard. Combining their technology and our threat researchers, we started to build a timeline of events:

 

In each case in this timeline, the account was restored after several hours.

Once the accounts were compromised, the attackers direct-messaged the account contacts with propaganda for their cause or with a link to convince them to click on a phishing site that would harvest the Twitter credentials of the victim.

One example of such a site is hxxp://fox-news.medianewsonline.com/.

Visiting the page shows the following:

If we look at the source code of the page, we discover several Turkish-language segments.

Focusing on the domains used for the phishing sites, we discovered more registered sites. Some examples:

  • mypressonline.com
  • official-twitter-jp.mypressonline.com
  • feedbac-verifv.mypressonline.com

Who is behind this campaign? According to the messages used, the Turkish hacker group “Ayyildiz Tim” (AYT) claims to be responsible for the attacks. The group was founded in 2002 and advocates Turkish state ideology. In the following example, we see the background image of Greta van Susteren has changed to one of the many wallpapers used by the group:

We advise journalists in particular, as well as others in high-profile positions, to follow appropriate safeguards to protect their accounts.

We are aware that one of the tactics from this group is to use Direct Messaging to communicate with other prominent Twitter accounts. There is also evidence that private messaging history has been accessed from certain compromised accounts of prominent figures, along with other sensitive or confidential information such as private phone numbers and emails.  If you receive a message, even from someone you know or trust, be aware that the message may not be from the person you know. It is potentially directing you to malicious content.

You absolutely should verify through an alternate channel that the link is safe to click.

Categories: McAfee Labs
Tags: , , ,

Leave a Comment

Similar articles

You’re familiar with the cybercriminals that go after users’ credit card information and look to spread malicious links, but recently, one hacker decided to send a different message. According to Vice's Motherboard, a hacker accessed TOMS Shoes’ mailing list and sent an email encouraging users to log off and go enjoy the outdoors. The email ...
Read Blog
While we talk about online safety each week on this blog, October is National Cybersecurity Awareness Month (NCSAM), a time to come together and turn up the volume on the digital safety and security conversation worldwide. To kick off that effort, here's a comprehensive Device and App Safety Guide to give your family quick ways ...
Read Blog
October is finally among us, and things are spookier than usual. One ghost causing some hocus pocus across the World Wide Web is Ghostcat-3PC, a browser-hijacking malware that has launched at least 18 different malvertising campaigns in the last three months. According to SC Magazine, Ghostcat’s goal is to hijack users’ mobile browsing sessions and ...
Read Blog