Scareware Scam Has Tweeters Atwitter
Jan 21, 2011 11:52 AM PT
The attack sends malicious links that take recipients clicking on them to a website hosting the "Security Shield" antivirus software program.
When users land on that site, they are essentially tricked into downloading and paying for the Security Shield application.
Twitter is resetting the passwords of accounts that are spreading the malicious link.
The Anatomy of the Fake AV Attack
The attackers send out tweets containing a link from the goo.gl shortened link service. This service and others like it compress long URLs into shorter ones, making them easier to fit into services like Twitter, which places a strict limit on the number of characters each tweet may contain. However, the services can also disguise the true nature of a link by hiding its actual URL.
Anyone clicking on the link is taken through two bounces to a website hosting the "Security Shield" fake antivirus program. Visitors are told they have suspicious applications running on their PCs and are urged to run a scan.
The scan shows the victim's PC is infected, and the website then asks the user to download and pay for the Security Shield application.
There's some uncertainty as to how the attacks were launched in the first place.
"It probably began by phishing of some sort," Adam Wosotowsky, principal engineer at McAfee Labs, told TechNewsWorld. "Possibly a social media worm like Koobface."
Variants of the Koobface worm have been used to attack Twitter for some time. This worm was initially targeted at Facebook, which it has attacked repeatedly over the years.
"It's not a worm," Graham Cluley, a senior technology consultant at Sophos, told TechNewsWorld. "It's a spam campaign that points to malicious software."
The attack could have occurred because users were using the same passwords on another website that was compromised, Cluley said.
Dynamite Comes in Small Packages
This fake AV attack is the latest in a series of attacks hitting Twitter in which shortened URLs were used.
In December, a Twitter worm using the goo.gl URL shortening service hit Twitter. In that attack, victims were reportedly first redirected to the compromised website of a French furniture company before being redirected to other domains.
In February of 2010, Twitter users were flooded with short URLs prefaced with the message "This you???" that led them to a fake Twitter login page, according to Andrew Brandt, a member of Webroot's threat research team.
"Twitter almost always involves shortened URLs -- whether they be good or bad," Sophos' Cluley said. "Shortened URLs can, of course, obscure from the unwary user the eventual destination that they will be taken to."
In November, a Symantec blog post warned that hackers were substituting legitimate shortened URLs included in tweets with different ones pointing to malicious websites after scanning the Twitter homepage to pick the most trendy topics.
Between the Devil and the Deep Blue Sea
It's not as if people are oblivious to the danger posed by shortened URLs.
At least as early as 2009, security experts were warning about the danger of URL shortening.
In September, McAfee launched a secure short URL service.
In December, University of Tulsa computer science student Ben Schmidt created his own URL shortening service, d0z.me, which he dubbed "The Evil URL Shortener," that doubles as a weapon for issuing distributed denial-of-service attacks as a proof-of-concept project.
McAfee Labs warned in its threat predictions for 2011 that social media sites with URL-shortening services will lead all other such sites in terms of cybercriminal activity.
"Shortened URLs can be a danger sign," David Harley, an ESET senior research fellow, told TechNewsWorld. "Black hats do use them to hide the real destination in a number of contexts."
Black hats are malicious hackers.
However, it's not feasible to ban shortened URLs outright.
"Shortened URL sites are not 100 percent malicious, so blocking the domain outright can cause false positives, which researchers generally try to avoid," McAfee's Wosotowsky pointed out. "Goo.gl is an example of a site that's associated with Google, which might frown upon blocking the domain. This allows spammers to continually abuse the site."