Twitter malware attack targets Israeli blockade

Screenshot of Twitter attack

Screenshot of Twitter attack

Another malware attack is making the rounds on Twitter and at least one tactic being used to spread the tweets is to use the Israeli/Gaza strip topic as bait. The links being tweeted mostly contain malicious code that is known to researchers as Bifrost.

The tweet pictured at right was translated from Arabic and is trying to convince people who support the Palestinians to download a toolbar. The Bifrost trojan sets up a backdoor on the victim computer and can hand over remote control to the criminals behind the attack. Some of the more sophisticated versions also contain a rootkit. As with most trojans, Bifrost allows remote execution of arbitrary code. Simply one more reason to be weary of browser toolbars. . .

Screenshot of tweets phishing isreali supporters

Criminals tend to be equal opportunity exploiters. By choosing a topic that inspires passion on both sides, they can get innocent surfers to succumb to their political fervor. Another scam being perpetrated from the same server involves a phish targeting supporters of the Israeli side of the conflict.

One of the links leads to a jotform.com page that asks for your email address and password so it can “Support Israel via Facebook.” Another link is a Yahoo! phish that also targets Israeli supporters.

Screenshot of phishing page for Israel supporters

Nice girl screensaver picture

Other attacks in this campaign target lonely men with the tried-and-true lure of sexy women who want to have a deep and stimulating conversation. This one, pretending to be a screensaver, displays this photo and then proceeds to infect your computer. Sophos detects the screensaver as Troj/Mdrop-CPU and the components that are installed as Mal/EnPk-LR and Mal/KeInject-A.

Another piece of malware associated with this campaign using sex as the come on is called chatwithgirls.exe. This one is a variant of the Bifrost trojan and is identified by Sophos as Troj/Inject-JU and Troj/Inject-JV.

All of this is being hosted by h1[dot]ripway[dot]com, a domain that has hosted several malicious campaigns in the last few weeks. I have alerted Twitter to the scam and expect they will take action to remove and disable the accounts involved.

As always, pay close attention to links sent via social media from people you don’t know. Try to keep your emotions in check when being lured to take an action around politics, love, or anything else you feel strongly about.

I would like to thank the folks working hard this weekend in SophosLabs for their help, and the contagio blog for additional details about this attack.