This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Hack3rcon is West Virginia’s premier information security conference, bringing together leading information security researchers and practitioners from around the country and around the world. With a focus on methodology and information sharing, Hack3rcon seeks to energize the infosec community and provide an engaging and supportive environment to hone our attendees skill while fostering a sense of community and social responsibility.
View analytic
Friday, October 19 • 2:00pm - 2:50pm
Automated Spear-twishing - It was only a matter of time

Sign up or log in to save this to your schedule and see who's attending!

We've all heard of phishing and spear-phishing. We've even heard of twishing and spear-twishing to a limited extent. After all, Twitter is an excellent target for social engineering due to conditioned users, anonymous connections via pseudonyms, and a lack of content filtering. For example, shortened URLs are typically flagged by detection software in e-mail, but it's almost a necessity in Twitter with the 140 character length restriction. So we have a ripe target base of users clicking on shortened URLs, but let's be honest: developing targeted tweets can be annoying. Plus, to really target users and take advantage of trust relationships, you need to map out who's following who, and that is pretty arduous given existing tools. So, we built Hypertwish, a Twitter visualization and spear-twishing framework that uses small generative grammars and a hyberbolic tree. Yaay math! This tool is also a trial of some of our existing research into computer linguistics and automated content generation, so that when Doomsday arrives, at least Skynet will be able to use social media. You'll never trust people on Twitter again.


---------------------------------- Detailed Outline ----------------------------------

I: Targeting

a) Dynamically mapping twitter accounts with the Hyperbolic Browser (part of JavaScript InfoVis Toolkit)

b) Mapping following-follower paths between Twitter accounts and building a useful target list.

c) Creating bogus accounts for testing

i) Twitter locks account automatically because of certain email domains

ii) Microsoft Live works great though for hotmail accounts

iii) Common mistakes in bogus accounts

II: Generating Content

a) @ vs. #

i) @ for targeting specific accounts, ie. spear-twishing

ii) # for potentially getting users who are searching on popular tags, ie. normal twishing

b) Autobuild content:

i) Tool utilizes a small generative grammar to develop tweet contents using a variety of options:

1) Reference previous post and reply, or generate new

2) Parse out # references from previous tweets

3) Pick from various predefined schemes

c) Sending Tweet

i) Different platforms apparently support different default display/notification options

ii) Tie in twidge for sending via multiple accounts

d) Tracking

i) Public posts instantly get checked by various bots and spiders

ii) Bots don't do a deep dive, we can limit tracking to secondary resources like frame contents


III: Demo: Hypertwish


Sean Palka

Passions: Pentesting. Social-engineering. Rapid prototyping. Aikido. Puzzles. Riddles. Cryptography. Diet Mountain Dew. Anti-social gaming. Recursion. Making my daughter laugh. | | | | | | | | I'm a penetration tester by trade, but my current research at George Mason University focuses on social engineering, phishing and computer linguistics. I swear I have friends that are not being coerced though.

Friday October 19, 2012 2:00pm - 2:50pm
Main Stage 600 Kanawha Boulevard East, Charleston, WV, United States

Attendees (2)

  • Profile image