Vine: Spammers Find a New Home on Twitter’s Video Sharing Service

In late January of this year, Twitter released Vine, a social video-sharing service that it acquired in late 2012. Initially launched on iOS, Vine has similar characteristics to Twitter as videos are intentionally short (users are only allowed six seconds) and to the point. Earlier this month, an Android version of Vine was released and it was reported that the service had amassed over 13 million users on iOS alone.

With its increasing popularity, it comes as no surprise that spammers are targeting Vine and its users. Last year, we reported on the rise of Instaspam as a result of the mobile photo sharing application’s soaring popularity.
 

Vine Spammers 1 edit.png

Figure 1. Vine spammer likes and comments on video
 

The tactics being employed in Vine spam range from leaving comments on videos (Figure 1), following users (Figure 2), and tagging videos with hashtags (Figure 3).
 

Vine Spammers 2 edit.png

Figure 2. Vine spam account follows user
 

Vine Spammers 3 edit.png

Figure 3. Spam account posts Vine Video
 

As of right now, the majority of Vine spam pertains to follower scams, offering users a way to increase the number of followers they have on the service.
 

Vine Spammers 4 edit.png

Figure 4. Vine spam information request
 

In the initial phases, spammers requested that users provide their Vine email address. They have since changed their labels (Figure 4) and now ask for Vine user names instead.
 

Vine Spammers 5 edit.png

Figure 5. Spam campaign application install request
 

Once a user submits their Vine user name, they are redirected to a landing page claiming that the 100 free followers is contingent on them installing a certain application. Clicking on any of the links on this page will redirect users to a legitimate application on their respective application store.

Scammers are earning their money through affiliate programs that offer money for each successful installation of an application.

The following is a list of domains observed in Vine spam comments and posts:

  • vinefollows.com
  • vine250.com
  • vinejump.com
  • vineluv.com
  • vinefree.com
  • vinebang.com
  • vinefamous.com
  • vinefollowers.me
  • popmyvine.com

Reporting and deleting spam

Users can do their part to help combat spam on Vine by reporting spam profiles and deleting spam comments from their videos.
 

Vine Spammers 6 edit.png

Figure 6. Ellipsis button on user profile
 

Each Vine profile contains an ellipsis button (Figure 6). Clicking on this button reveals options to block, report or share the profile (Figure 7).
 

Vine Spammers 7 edit.png

Figure 7. Reporting a spam profile on Vine
 

When prompted, select the “Report this person” button to report the profile to Vine (Figure 8).
 

Vine Spammers 8 edit.png

Figure 8. Profile reported confirmation
 

To report spam comments on your own videos, click the comment button (Figure 9).
 

Vine Spammers 9 edit.png

Figure 9. Video comment button
 

Once you are on the comments page, swipe to the left on the spam comment that you wish to delete. You will be presented with a red button with an “X” on it (Figure 10). Click on the button to delete the comment.
 

Vine Spammers 10 edit.png

Figure 10. Delete spam comment
 

At this time, there is no option to delete a comment and report a user, so you will need to report the user first before deleting their comment.

While we are currently only seeing “free follower” spam, it is only a matter of time before we start seeing offers for free stuff. And, as I have written before, free stuff on social networks is not free.

Raspberry Pi bot tracks hacker posts to vacuum up passwords and more

Password and credit-card details leak online every day. So no one really knows just how much personally identifiable information is available by clicking on the right link to Pastebin, Pastie, or similar sites. Using a platform that runs on the hobbyist Raspberry Pi platform to drink from this fire hose, a security researcher has cataloged more than 3,000 such posts in less than three months while adding scores more each week.

Dumpmon, as the project is called, is a bot that monitors Twitter messages for Web links containing account credentials, sensitive account information, and other "interesting" content. Since its debut on April 3, it has captured more than 3,300 records containing 1.1 million addresses, most of which are accompanied by the plaintext or cryptographic hash of an associated password. The project has also unearthed social security and driver license numbers, credit card data, and other information that could be used to hijack user accounts or commit identity theft. On average, Dumpmon collects 51 such posts each day.

"It was mainly trying to determine how much information is being hidden from plain view and finding out how much information can be found just by looking in the right place," said Jordan Wright, a security engineer for CoNetrix. (Wright created the Dumpmon as an independent side project.) "It's pretty incredible. I wasn't expecting as much information as I found. I was expecting a lot less for sure."

Read 10 remaining paragraphs | Comments

    


When Unicorns Breach your Security

Last week a purple unicorn (a stuffed one, not a real one) generated some confusion at a border station in Turkey. According to this article, a family including their nine year old daughter, travelling across the Turkish border accidentally used the stuffed unicorn's toy passport instead of the daughter's real passport. The officer checked the passport, officially stamped it, and then let them through. At this point, the story deviates based on the source. Immigration said that the officer just wanted to be kind to the girl and forgot to stamp the real passport too. The family reports that there was no hesitation and that their daughter may have just have slipped through.

This story serves as a good reminder that security measures are only as good as their implementation. From crypto-graphical functions implemented with static initialization vectors, to passwords that are derived from public MAC addresses, to Web applications with poor session management that can be bypassed by calling the API directly. There are many examples throughout history of secure technology that actually had large, gaping security holes once they had been implemented. These examples do not even consider products that are implemented properly, but are not configured correctly or suitably integrated into the process so that the log files are never read.

If you are implementing security functions, ensure that you do it properly. Follow coding standards and play the attack scenario through. If you install security products, make sure that you configure them to your needs. Take note, if you do not pay attention to the details, you might be overrun by purple unicorns.