A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Automated Spear-twishing - It was only a matter of time Hack3rcon 3 (Hacking Illustrated Series InfoSec Tutorial Videos)

Automated Spear-twishing - It was only a matter of time
Hack3rcon 3

We've all heard of phishing and spear-phishing. We've even heard of twishing and spear-twishing to a limited extent. After all, Twitter is an excellent target for social engineering due to conditioned users, anonymous connections via pseudonyms, and a lack of content filtering. For example, shortened URLs are typically flagged by detection software in e-mail, but it's almost a necessity in Twitter with the 140 character length restriction. So we have a ripe target base of users clicking on shortened URLs, but let's be honest: developing targeted tweets can be annoying. Plus, to really target users and take advantage of trust relationships, you need to map out who's following who, and that is pretty arduous given existing tools. So, we built Hypertwish, a Twitter visualization and spear-twishing framework that uses small generative grammars and a hyberbolic tree. Yaay math! This tool is also a trial of some of our existing research into computer linguistics and automated content generation, so that when Doomsday arrives, at least Skynet will be able to use social media. You'll never trust people on Twitter again.

---------------------------------- Detailed Outline ----------------------------------

I: Targeting

a) Dynamically mapping twitter accounts with the Hyperbolic Browser (part of JavaScript InfoVis Toolkit)

b) Mapping following-follower paths between Twitter accounts and building a useful target list.

c) Creating bogus accounts for testing

i) Twitter locks account automatically because of certain email domains

ii) Microsoft Live works great though for hotmail accounts

iii) Common mistakes in bogus accounts

II: Generating Content

a) @ vs. #

i) @ for targeting specific accounts, ie. spear-twishing

ii) # for potentially getting users who are searching on popular tags, ie. normal twishing

b) Autobuild content:

i) Tool utilizes a small generative grammar to develop tweet contents using a variety of options:

1) Reference previous post and reply, or generate new

2) Parse out # references from previous tweets

3) Pick from various predefined schemes

c) Sending Tweet

i) Different platforms apparently support different default display/notification options

ii) Tie in twidge for sending via multiple accounts

d) Tracking

i) Public posts instantly get checked by various bots and spiders

ii) Bots don't do a deep dive, we can limit tracking to secondary resources like frame contents

III: Demo: Hypertwish

Sean Palka

Senior Penetration Tester, Booz Allen Hamilton

Passions: Pentesting. Social-engineering. Rapid prototyping. Aikido. Puzzles. Riddles. Cryptography. Diet Mountain Dew. Anti-social gaming. Recursion. Making my daughter laugh.

I'm a penetration tester by trade, and my current research focus is on social engineering, phishing and computer linguistics. I swear I have friends that are not being coerced though.

Back to Hack3rcon 3 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast