It´s you on photo?: Automatic detection of Twitter accounts infected with the Blackhole Exploit Kit

The Blackhole Exploit Kit (BEK) has been called the “Toyota Camry” of exploit kits - cheap, readily available and reliable. According to some estimates, it was used to enable the majority of malware infections in 2012. One major infection vector for BEK is through Twitter. In this paper, we analyze over two months of Twitter data from May through July of 2012 and identify user accounts affected by BEK. Based on reports that BEK infected tweets containing the string ”It´s you on photo?” were being used to lure victims to BEK infected sites, we identified matching messages and analyzed the associated accounts. We then identified a wider range of message types associated with BEK infection and developed an automated mechanism for identifying infectious accounts - both accounts that were created specifically for malware distribution and legitimate accounts that began distributing malware after the owner´s system was infected. Specifically, we find that BEK infectious accounts are characterized by tweets with an entropy lower than 4.5, tweets that are sent using the Mobile Web API and tweets containing an embedded URL. We present an automated method for isolating the point at which an account becomes infectious based on changes in the entropy of tweets from the account.