The micro blogging service, which allows messages of up to 160 characters to be posted, by default uses the bit.ly URL shortening service, which replaces long web addresses with more manageable codes. Costin Raiu chief security expert at the anti-malware company's Eastern European computing lab, explained that online criminals have been using these services to obfuscate malicious URLs, which they then spread to other Twitter users by posting in messages.
Twitter began using bit.ly as its default URL shortening service in May, and began filtering URLs in August, using the bit.ly service's filtering function. Kaspersky has found that it uses the Google Safe Browsing API, which checks URLs against a database of known malicious destinations. However, it also lays its own extra filtering on top.
"There are still a lot of links that make it through Twitter, and keep in mind that it is also possible to simply use other URL shortening services", Raiu said.
Kaspersky has created a project called Krab Crawler, which uses the Twitter API to download as many messages as it can from the public timeline. It then uses a distributed network of machines to expand these URLs, analyze them semantically, and run them through an anti-malware scanner. The project is downloading 60 GB of data via Twitter every month, and processing half a million unique URLs.
Kaspersky has also been mining this data for statistics. It found that roughly half the malicious sites found have been compromised by other malware attacks such as Gumblar, a script injection that targeted websites earlier this year.
"These are generated by users themselves who are unwittingly posting links to websites that they believe to be clean", Raiu said.
26% of Twitter posts included a URL, Kaspersky found. The most popular two shortened URLs posted using the service in September that resolve to online dating sites, one of which have been known to serve up malware in the past.
"Most of the URLs posted on Twitter seem to be generated by spammers or people with malicious intent. The fact that they point to sites that can be malicious but may not always be immediately labeled as malicious is important.
"The vast majority of attacks seem to fall into the grey zone. The sites may not always be malicious, but there are either links to spammers, or to malicous software authors, even if the link isn't always immediately obvious."