Scientists stop and search malware hidden in shortened URLs on Twitter

Supplementary content information

Many red open locks around one closed blue lock

Thinkstock

Cyber-criminals are taking advantage of real-world events with high volumes of traffic on Twitter in order to post links to websites which contain malware.

To combat the threat, computer scientists have created an intelligent system to identify malicious links disguised in shortened URLs on Twitter. They will test the system in the European Football Championships next summer. The research is co-funded by the Engineering and Physical Sciences Research Council (EPSRC) and the Economic and Social Research Council (ESRC).

In the recent study the Cardiff University team identified potential cyber-attacks within five seconds with up to 83% accuracy and within 30 seconds with up to 98% accuracy, when a user clicked on a URL posted on Twitter and malware began to infect the device.

The scientists collected tweets containing URLs during the 2015 Superbowl and cricket world cup finals, and monitored interactions between a website and a user's device to recognise the features of a malicious attack. Where changes were made to a user's machine such as new processes created, registry files modified or files tampered with, these showed a malicious attack.

The team subsequently used system activity such as bytes and packets exchanged between device and remote endpoint, processor use and network adapter status to train a machine classifier to recognise predictive signals that can distinguish between malicious and benign URLs.

Dr Pete Burnap, Director of the Social Data Science Lab at Cardiff University, and lead scientist on the research, said: Unfortunately the high volume of traffic around large scale events creates a perfect environment for Cyber-criminals to launch surreptitious attacks. It is well known that people use online social networks such as Twitter to find information about an event.

Attackers can hide links to malicious servers in a post masquerading as an attractive or informative piece of information about the event.

URLs are always shortened on Twitter due to character limitations in posts, so it's incredibly difficult to know which are legitimate. Once infected the malware can turn your computer into a zombie computer and become part of a global network of machines used to hide information or route further attacks.

In a 2013 report from Microsoft these ‘drive-by downloads’ were identified as one of the most active and commercial risks to Cyber security.

At the moment many existing anti-virus solutions identify malware using known code signatures, which make it difficult to detect previous unseen attacks.

Professor Omer Rana, Principal investigator on the project which is also includes Royal Holloway, University of London, City University London, the University of Plymouth and Durham University said:

We are trying to build systems that can help law enforcement authorities make decisions in a changing Cyber Security landscape. Social media adds a whole new dimension to network security risk. This work contributes to new insight into this and we hope to take this forward and develop a real-time system that can protect users as they search for information about real-world events using new forms of information sources.

We have the European Football Championships coming up next summer, which will provide a huge spike in Twitter traffic and we expect to stress-test our system using this event.

Professor Philip Nelson, Chief Executive, EPSRC said: Using social media is an integral part of modern life, vital to organisations, businesses and individuals. The UK needs to operate in a resilient and secure environment and this research will help combat these criminal Cyber-attacks.

Notes for Editors

  • This study is part of the EPSRC's Global Uncertainties Consortia for Exploratory Research in Security (CEReS) programme. GoW grant number: EP/K03345X/1. This is co-funded by EPSRC and Economic and Social Research Council (ESRC).
  • A paper of the study was presented to the 2015 IEEE / ACM International Conference on Advances in Social Networks Analysis and Mining in August 2015. The study authors are Pete Burnap, Amir Javed, Omer F Rana, Malik S Awan.
  • Twitter is being targeted by criminals as URL web-links are often shortened to fit the 140 character limit. The shortened links are a string of letters so it's impossible for a user to tell if it points to a malicious or benign site.
  • A zombie computer is one that is taken over and controlled by a remote person who can use it to launch further attacks
  • A drive-by download is where malware makes unwanted changes to a user's device
  • The Microsoft report is referenced in the study

Engineering and Physical Sciences Research Council (EPSRC)

As the main funding agency for engineering and physical sciences research, our vision is for the UK to be the best place in the world to Research, Discover and Innovate. By investing £800 million a year in research and postgraduate training, we are building the knowledge and skills base needed to address the scientific and technological challenges facing the nation. Our portfolio covers a vast range of fields from healthcare technologies to structural engineering, manufacturing to mathematics, advanced materials to chemistry. The research we fund has impact across all sectors. It provides a platform for future economic development in the UK and improvements for everyone’s health, lifestyle and culture. e work collectively with our partners and other Research Councils on issues of common concern via Research Councils UK.

Cardiff University

Cardiff University is recognised in independent government assessments as one of Britain’s leading teaching and research universities and is a member of the Russell Group of the UK’s most research intensive universities. The 2014 Research Excellence Framework ranked the University fifth in the UK for research excellence. Among its academic staff are two Nobel Laureates, including the winner of the 2007 Nobel Prize for Medicine, University Chancellor Professor Sir Martin Evans. Founded by Royal Charter in 1883, today the University combines impressive modern facilities and a dynamic approach to teaching and research. The University’s breadth of expertise encompasses: the College of Arts, Humanities and Social Sciences; the College of Biomedical and Life Sciences; and the College of Physical Sciences and Engineering, along with a longstanding commitment to lifelong learning. Cardiff’s flagship Research Institutes are offering radical new approaches to pressing global problems.

Reference: PN 50-15

Contact Details

For further information please contact the Press Offices. Interviews are available with Dr Pete Burnap.

In the following table, contact information relevant to the page. The first column is for visual reference only. Data is in the right column.

Name: Tomas Barrett
Job title: Senior Communications Officer
Section / Team: Cardiff University Press Office
Organisation: Cardiff University
Telephone: 02920 875596

In the following table, contact information relevant to the page. The first column is for visual reference only. Data is in the right column.

Name: EPSRC Press Office
Telephone: 01793 444404

In the following table, contact information relevant to the page. The first column is for visual reference only. Data is in the right column.

Name: Dr Pete Burnap
Section / Team: Social Data Science Lab
Organisation: Cardiff University
Telephone: 07841 908033