Outbreak: Blackhole malware attack spreading on Twitter using "It's you on photo?" disguise

Filed Under: Malware, Social networks, Spam, Twitter

Black crow. Image from ShutterstockIf you are a Twitter user please be very cautious of clicking on links that claim you are pictured in an online photo.

Thousands of malicious links are being spammed out, targeting innocent users of the micro-blogging network.

The links point to Russian webpages that ultimately attempt to infect your Windows PC using the notorious Blackhole exploit kit.

Here's what the dangerous tweets look like:

Malicious tweets on Twitter

As you can probably see in the following screengrab, there is a pattern to the dangerous tweets.

@[Username] It's you on photo? [Domain]/#[Username].html

So, if the cybercriminals were trying to infect me via my Twitter account, it would be a message saying

@gcluley It's you on photo? [Domain]/#gcluley.html

(In the above examples and screenshots I'm hiding the domain name, to avoid anyone visiting a dangerous URL)

Here's a screenshot of the message that our own experts picked up at the @SophosLabs Twitter account:

Malicious tweet to @SophosLabs on Twitter

Of course, the cybercriminals behind the campaign could change the wording used in the dangerous tweets at any time.

If you see tweets like this, please do not click on them. There isn't a photo of you waiting at the end of the link - and the accounts that are spreading the messages have either been compromised by hackers or have been created by hackers with the purpose of spreading dangerous links like this.

Sophos detects the malware at the end of the link as Troj/JSRedir-HY, a Dean Edwards multiply-packed (see Fraser Howard's technical paper "Malware with your Mocha" for an explanation of this obfuscating packer) JavaScript.

The script redirects to an IP address that itself redirects to a .CU.CC domain, to load executable code (Sophos is adding detection of this as Troj/Agent-XES) and you ultimately end up on a .SU domain that contains the Blackhole exploit kit.

There's a real danger that if Twitter users have not properly protected their PCs, and unless they are warned of the risk, that many people will click on the links without suspecting that they are putting their computer and personal data at risk.

Follow me on Twitter at @gcluley for the latest information on this attack.


We have also seen versions of this attack using the wording "It's about you?". Here's an example:

It's about you malicious tweet

Please take care folks.

Black crow image from Shutterstock.

, , , ,

You might like

14 Responses to Outbreak: Blackhole malware attack spreading on Twitter using "It's you on photo?" disguise

  1. Also seen "It's аbout you?"

  2. There's a very simple rule of thumb here: If someone you don't know tweets you a link, its either Spam, an exploit or probably both.

  3. laavventura · 1164 days ago

    I'm guilty...I clicked it! I don't know why as I usually never do something like that, but I clicked anyway. AVG picked up the attack fast.

  4. NIce info.

  5. Sammy · 1163 days ago

    Does this affect PC & Mac users or just PC?

  6. Ig Roberts · 1163 days ago

    I got one this morning.

  7. markstockley · 1163 days ago

    @juamei agreed - other warning signs on mine included; default egg avatar, Russian user name, .ru ccTLD, russian domain, domain with numerals at the end, poor spelling, obvious link bait (contained no information you can only find out more by clicking the link).

    Basically it looked *so unlike* a normal communication that I'd receive it was obvious it was something that shouldn't be there.

  8. Mike91163 · 1163 days ago

    Me? I have no worries of being infected via this vector...why? Because I actually have a REAL LIFE in the REAL WORLD, and do not have the time or desire to worry about other people's inane lives. I do not wait breathlessly for the latest tweet from some Twit.

    Believe or not, in the early days of the Internet (28.8k modems,anyone?) and before, humans were actually able to communicate with each other...I know, for some of you it might be hard to imagine a world without Facebook, Twitter, etc., but the world did exist then...and no, dinosaurs were not roaming the planet.

  9. Minor update. The Blackhole Twitter malware attack exploits Adobe PDF and Shockwave Flash vulnerabilities.

    Sophos detects them as Troj/PDFEx-GD and Troj/SWFExp-AI.

  10. Matt · 1163 days ago

    Tried the link in "Offbyone", which I use to examine any unsafe links - if you check the very limited capabilities (No flash, no java, no JS) I think it's immune.

    Question is, if you are fully patched-up, are you immune to this exploit?

  11. Adam · 1163 days ago

    I clicked this without thinking yesterday (tired!) but closed the link within a few seconds once I realized what I'd done. Whatever it was hadn't finished loading. I'm not sure if I shut it down in time but i'll check shortly (although I'm using MSE, not Sophos, so I'm assuming it will pick it up).

  12. HackedAccount · 1162 days ago

    BlackHole exploits aren't only flooding in via Twitter. On July 18th, my Yahoo mail account was cracked and remotely logged in from a static IP showing a 'home' DSL user in Argentina as the source. I'm in Michigan, and don't own a Star Trek transporter to log-in again... from 1000's of miles away, and within 20 minutes from my real home log-in.

    Every e-mail that was sent in the 45 minutes or so it was compromised, contained a facebook-ish "http://xxyyzz.com/wordpressPluginFolder/like.php?someImage.jpg" styled link with nothing else in the message body - and no subject line. Seems like the same type of social photo/story 'hook' to get you clicking, as it's happened on Twitter. A quick check via the web verified the BlackHole origins from several AV vendors.

    I alerted Yahoo and made password and security changes, but I have my doubts that mine was the only compromised account found to be sending exploits out. Don't be surprised if Yahoo announces they've also had a recent breach, and regular user account details (not, content/contributor accts. previously announced) were scraped from their servers.

  13. Sherif · 1162 days ago

    How to make sure that certain antivirus can detect that exploit? . . I'm interested in Symantec.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley