The Venezuelan government is getting ready for elections with a proxy for twitter that could be use for phishing attacks. What are they planing by having this Twitter proxy?

As many might remember during past presidential elections the majority of the population had problems resolving some domains for brief periods of times. Most end users solved this by restarting their computers, While websites that were critical to the government suffered DDoS (Distributed Denial of Service) attacks.

This year with the penetration of social networks and use that the student community of Venezuela have been giving to them to spread their message and denounce irregularities, The Venezuelan government seem to be preparing for a new attack, this time the target are the social networks.


Repeat as parrots

As every Venezuelan knows the presidential candidate and current president of the republic uses the twitter handle @chavezcandanga which is controlled by what I assume is his P.R. committee. This same group has a twitter application that makes the account of everyone who chooses to authorize it a robot (a bot account) that would automatically retweet him.

This app along with the fact that 46% of @chavezcandanga followers are ghost/fake accounts starts giving you an idea of his propaganda machinery, Here is a screenshot of the app in question RTChavezCandanga.

aplicación RTChavezCandanga alojada en servidores del estado Venezolano para manipular tendencias y generar matrices de opinion.

Lets find out who is behind this app and the proxy which are hosted under the same domain, in order to find out we will be querying the venezuela's national registry of domains maintained by the government it self.

Pruebas de que es el PSUV el responsable de el dominio detras de todo esto.

As you can see it is clear that the Socialist United Party of Venezuela (PSUV) is responsible for anything related to finances, technical and administrative tasks for this domain.


Clamping down on social networks

What worries me now is that the same IP address that hosts the subdomain mensajes.chavezcandanga.org.ve used to manipulate trends on Twitter is also hosting a twitter proxy that so far does not contain malicious code (that I can see) but it does not mean that this will not change days before the election or during.

Right now you can see it for yourself but just in case CONATEL (entity that controls this IP) removes the proxy and the page that distributes the application, Here are some screenshots of what I was talking about:

Proxy a twitter alojado en servidores del gobierno del estado Venezolano

As you can see the IP that is being used (190.202.80.20) are not related to Twitter or at least are not the ones being advertised by Twitter's DNS records, here lets see the actual Twitter IPs:

host twitter.com | grep address
twitter.com has address 199.59.149.230
twitter.com has address 199.59.150.39
twitter.com has address 199.59.148.82

Digging a bit more one can see that the IP where this twitter proxy is running is also being used for something else:

Proxy a twitter alojado en servidores del gobierno del estado Venezolano

For those who are wondering the source for this story or how I learned about this, a friend on twitter was the one who found this this “coincidence” as you can see in this tweet:



Update: December 15, 2012

At this moment the IP 190.202.80.20 is still hosting a Twitter proxy although I don't see any malicious code you should be careful during the upcoming regional elections this upcoming Sunday the 16th.

I recommend you stay tuned and avoid accepting any new SSL certificates when using twitter during this weekend. I would also avoid to use my credentials if "mysteriously" you get prompt asking for them while navigating Twitter.com, specially if the URL doesn't begin with HTTP.



Comments

comments powered by Disqus