A previously reported campaign purportedly carried out by Turkish hacker group “Ayyildiz Tim” targeting high-profile, verified Twitter accounts with the purpose of spreading Turkish political propaganda appears to have escalated within the last 24 hours. McAfee Advanced Threat Research has investigated the new events and discovered the following. On January 13, the Twitter account of the Indian ambassador to the United Nations was taken over and spread pro-Pakistan and pro-Turkey postings:
What seemed to be a single event soon became a targeted campaign that we discovered in cooperation with our partner SocialSafeGuard. Combining their technology and our threat researchers, we started to build a timeline of events:
In each case in this timeline, the account was restored after several hours.
Once the accounts were compromised, the attackers direct-messaged the account contacts with propaganda for their cause or with a link to convince them to click on a phishing site that would harvest the Twitter credentials of the victim.
One example of such a site is hxxp://fox-news.medianewsonline.com/.
Visiting the page shows the following:
If we look at the source code of the page, we discover several Turkish-language segments.
Focusing on the domains used for the phishing sites, we discovered more registered sites. Some examples:
- mypressonline.com
- official-twitter-jp.mypressonline.com
- feedbac-verifv.mypressonline.com
Who is behind this campaign? According to the messages used, the Turkish hacker group “Ayyildiz Tim” (AYT) claims to be responsible for the attacks. The group was founded in 2002 and advocates Turkish state ideology. In the following example, we see the background image of Greta van Susteren has changed to one of the many wallpapers used by the group:
We advise journalists in particular, as well as others in high-profile positions, to follow appropriate safeguards to protect their accounts.
We are aware that one of the tactics from this group is to use Direct Messaging to communicate with other prominent Twitter accounts. There is also evidence that private messaging history has been accessed from certain compromised accounts of prominent figures, along with other sensitive or confidential information such as private phone numbers and emails. If you receive a message, even from someone you know or trust, be aware that the message may not be from the person you know. It is potentially directing you to malicious content.
You absolutely should verify through an alternate channel that the link is safe to click.