SIREN is a Twitter-based network of porn bots. With almost 90,000 known zombie accounts, it’s been tweeting 8.5 million come-ons, say researchers.
Yes, incredibly, there’s porn on the web, and shady people are making money from it. I’m sure you’re just as shocked to hear this as I am.
Twitter is on the case, we’re told, but the problem doesn’t exactly seem solved just yet. In this week’s Security Blogwatch, we take a relaxing soak in the tub.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Working out with an Eclectic Method…
What’s the craic? Alfred Ng waxes lyrical, with A massive botnet was tweeting you porn for months:
It was the social media equivalent of the Sirens [from] Greek mythology. … Every tweet had links to a seemingly innocent URL with a Google shortlink … which would lead to a fake dating website, or a webcamming site or pornography.
…
Every account featured a scantily clad woman [and] read like a bad Tinder profile. … With 8.5 million tweets, the spam netted more than 30 million clicks.
Greek mythology, you say? Dude, you’re getting a Dell Cameron—Nearly 90,000 Sex Bots Invaded Twitter:
The researchers dubbed the botnet “SIREN” after sea-nymphs described … as half-bird half-woman creatures whose sweet songs often lured horny, drunken sailors to their rocky deaths. … Millions of users apparently fell for the ruse and, presumably, a small fraction went on to provide their payment card information to the pornographic websites they were lured to.
…
The tweets further included links to affiliate programs. … Members of these programs … receive payouts based on the amount of traffic they send to subscription-based porn and so-called “adult dating” websites [many of which] are themselves scams, chiefly comprised of fake female profiles that encourage visitors to sign up for paid subscriptions.
…
PSA: There are literally no women on the internet that want to have sex with you.
Who uncovered this den of iniquity? T’was Zack Allen and chums, of ZeroFOX Research:
In recent years, malicious actors have exploited social media’s ease of use, scalability, automation and ability to reach a massive, global target audience. … They can be coordinated … and weaponized to distribute nefarious links such as phishing campaigns, malware … and spam websites that pay for clicks.
…
Since February [we’ve] been investigating a large-scale, spam pornography botnet on Twitter dubbed SIREN. [We] have identified over 8,500,000 tweets from close to 90,000 accounts [making it] one of the largest malicious campaigns ever recorded on a social network [and] in clear violation of Twitter’s Terms of Service.
…
The actors running SIREN appear to be from Eastern Europe. [It] leverages a vast network of algorithmically generated Twitter accounts to distribute a payload. [When] clicked, the user is issued a series of redirects. … Twitter’s t.co service … redirects to goo.gl [which] redirects to a ‘rotator’ website. … It then sends the connection via another redirect to the final URL.
…
All fraudulent activity shown in this post has been reported … to the Twitter security team, who subsequently removed them. Twitter was prompt and efficient in their takedown.
Anyone else? The researchers also got a ride on the Brian Krebs cycle: [You’re fired—Ed.]
Anyone who [clicked] was ultimately referred to subscription-based online dating sites run by Deniro Marketing … based in California. This was the same company that … I’d written about in June. Deniro did not respond to requests for comment.
…
It’s not hard to see how this same approach could be very effective at spreading malware. Keep your wits about you while … cruising social media.
Are you hungry? Faisal Ahmed says there’s no such thing as a free lunch:
This is just another reminder for everyone to be careful online and with social media; as with real life, if it looks too good to be true, it probably is.
Anyway, what does Twitter have to say? Dr. Mallory Locklear finds out:
Twitter hasn't yet responded to a request for comment.
But the problem is all cleaned up now, right? Errm, no:
I just did a few Twitter searches for the weird, cod-English phrases used by SIREN. … There are still hundreds of spammy porn tweets visible from weeks ago—and many as recent as today.
“Please try harder,” is my message to Twitter’s Trust And Safety team. Much harder. Are you listening, @Delbius?
So which social platform does a better job of reacting to researchers’ reports? Not Myspace, says Leigh-Anne Galloway:
I stumbled across an old Myspace account of mine. … I discovered a business process so flawed it deserves its own place in history. [It] allows anyone access to any Myspace account, with only [a] date of birth.
…
So how seriously does Myspace take security? … I sent an email to Myspace in April documenting this vulnerability and received nothing more than an automated response.
…
So why does this matter? Myspace is an example of the kind of sloppy security many sites suffer from: poor implementation of controls, lack of user input validation, and zero accountability.
Any other cautionary tales to tell? As Alexandria Arnold articulates, CoinDash Says Hacker Stole $7 Million:
CoinDash, a blockchain technology startup that bills itself as a social-trading platform, said that its website was hacked Monday and $7 million was stolen from investors trying to participate in the company’s initial coin offering. … CoinDash said it appeared that the sending address was hacked and changed to a fraudulent address.
…
CoinDash said in its statement, "CoinDash is responsible to all of its contributors and will send coins reflective of each contribution." … Both investors who sent ethereum to the fraudulent address and to the correct one will receive their intended CoinDash tokens, the company said.
The moral of the story? If you tell people that you “take security seriously,” you should probably, y’know, take security seriously. And that includes seriously responding seriously quickly to serious security researchers. But seriously, you need a 24/7 team actively fighting abuse and acting on reports.
And finally …
Jonny Wilson’s awesome workout mix
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk.
Image source: Ferran Nogués (CC:BY-SA)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
