Fake anti-virus attack spreads on Twitter via goo.gl links

Filed Under: Malware, Social networks, Spam, Twitter

Thousands of Twitter users are finding that their accounts have been tweeting out malicious links without their permission, pointing to a fake anti-virus attack.

A quick search on the popular micro-blogging network finds many tweets from users containing no message other than a goo.gl shortened link (Google's equivalent to bit.ly or tinyurl), which itself points to a URL ending with "m28sx.html".

Although most affected Twitter users appear to be oblivious to what has occured, a few have noticed the messages, and suspected a security breach.

Twitter users with accounts abused in fake anti-virus attack

If you make the mistake of clicking on one of the malicious goo.gl links you are ultimately taken to a website which attempts to scare you into believing that you have a virus problem on your computer. You are then frightened into installing malicious code on your PC, and asked to pay money to disinfect your systems.

Sophos is adding detection of the malware as Troj/FakeAV-CMG. Sophos's Live Protection technology has been protecting customers against the Ukranian URL hosting the malware since January 12th.

Interestingly, all of the offending Twitter messages examined by Sophos so far claim to have been posted by "Mobile Web" (Twitter's "lite" interface for generic mobile phone users) rather than users' normal clients such as Tweetdeck or Twitter for iPhone.

Goo.gl tweets

What isn't yet clear is how the Twitter users found their accounts compromised in this way. The natural suspicion would be that their usernames and passwords have been stolen. It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately.

Remember, you should never use the same password on multiple websites.

Earlier this week Sophos published its 2011 Security Threat Report, revealing a sharp rise in the number of cybercriminal attacks taking place via social networks.

Download the Sophos Security Threat Report 2011

Update: Del Harvey of Twitter's security team has confirmed the problem, and reports that the site is removing the dangerous links and resetting the passwords of compromised accounts.

, , , , ,

You might like

One Response to Fake anti-virus attack spreads on Twitter via goo.gl links

  1. It keeps sending direct messages. I can't log out or change settings! How the hell do I stop it? And I have forgotten my password too :-(

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.