We have already written numerous times about the fact that social networks can be used by cyber criminals to harm their users. This technique we have spotted on the twitter network is not new, but it is interesting nonetheless.

Its first form uses a callback function to the Twitter API, which makes it hard to discover by scanning core and allowing injection of a harmful iFrame. Furthermore, data about trends, which the function returns, were used for the generation of a domain name.

iFrame

 

So what makes this case so interesting? First, it’s used in favorite library jQuery. Whereas the earlier forms relied on function of callback as a tool against emulation, the usage of the library is an evolution as its used for downloading trend data and also for obfuscation of harmful code.

iFrame

The analysis of the sample, which we obtained, revealed an algorithm for creating domain names. It also contains the part, which is created by selection of groups with predefined values, and the part, which is created in accord with data, obtained from Twitter.

iFrame

The fact that the algorithm does not create active domain names may be caused by these reasons:

1. Algorithm of creating the domain names was changed

It’s very likely, since the code contains numerous places, which can be manipulated.

2. Method is used in longer time windows

Twitter allows a discovery of trends for one month backwards. Domains, which we found registered in this time window, have preset status clientHold. It means that domain is not published.

3. The author has registered only few of possible names and relies on the fact, that favorable conditions will happen.

Since none of the created addresses was functional during time of analysis, we cannot determine the creators’ intentions exactly. Most probably it’s a ploy to get to the resources/digital assets of their victims.

author:  Jaro Brtan