Compromised Twitter Accounts Spread Links to Malware Downloads
It appears that a new worm is spreading by hijacking Twitter accounts and using them to advertise links to a drive-by download website. The attack starts with goo.gl shortened URLs being sent by users whose computers have already been infected by the new threat.
The links get changed as soon as Google suspends them for abuse. One goo.gl URL pointed to a page hosted on a compromised website belonging to a French furniture manufacturing business.
This page takes visitors through several redirects and eventually lands them on a drive-by download site that tries to exploit vulnerabilities in outdated versions of Java and Adobe Reader.
According to various reports, in addition to the compromised .fr website, an .it one has also been observed, which ironically belongs to a firm offering computer repair services. An interesting aspect about these websites is that both of them are entirely designed in Flash. We’re not sure at this point if this is just a coincidence or a pattern.
There is still no detailed analysis of the malware installed in case of successful exploitation. However, it’s pretty clear that it can hijack the Twitter accounts of people using the infected computers.
The rogue messages are sent through Twitter’s mobile site instead of the main Web interface, but this is probably done by attackers for convenience reasons. The behavior of hijacking accounts like this is reminiscent of the Koobface social networking worm, which also targeted Twitter in the past. However, at this point this is only speculation.
According to TechCrunch, Twitter is aware of the attack and is actively resetting the passwords of the compromised accounts.
Users are advised to be suspicious of goo.gl links that are posted with no other message attached; although this behavior might change.
Credit: Softpedia.com News
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.