Outbreak: Blackhole malware attack spreading on Twitter using “It’s you on photo?” disguise

Outbreak: Blackhole malware attack spreading on Twitter using "It's you on photo?" disguise

Black crow. Image from ShutterstockIf you are a Twitter user please be very cautious of clicking on links that claim you are pictured in an online photo.

Thousands of malicious links are being spammed out, targeting innocent users of the micro-blogging network.

The links point to Russian webpages that ultimately attempt to infect your Windows PC using the notorious Blackhole exploit kit.

Here’s what the dangerous tweets look like:

Malicious tweets on Twitter

As you can probably see in the following screengrab, there is a pattern to the dangerous tweets.

@[Username] It's you on photo? [Domain]/#[Username].html

So, if the cybercriminals were trying to infect me via my Twitter account, it would be a message saying

@gcluley It's you on photo? [Domain]/#gcluley.html

(In the above examples and screenshots I’m hiding the domain name, to avoid anyone visiting a dangerous URL)

Here’s a screenshot of the message that our own experts picked up at the @SophosLabs Twitter account:

Malicious tweet to @SophosLabs on Twitter

Of course, the cybercriminals behind the campaign could change the wording used in the dangerous tweets at any time.

If you see tweets like this, please do not click on them. There isn’t a photo of you waiting at the end of the link – and the accounts that are spreading the messages have either been compromised by hackers or have been created by hackers with the purpose of spreading dangerous links like this.

Sophos detects the malware at the end of the link as Troj/JSRedir-HY, a Dean Edwards multiply-packed (see Fraser Howard’s technical paper “Malware with your Mocha” for an explanation of this obfuscating packer) JavaScript.

The script redirects to an IP address that itself redirects to a .CU.CC domain, to load executable code (Sophos is adding detection of this as Troj/Agent-XES) and you ultimately end up on a .SU domain that contains the Blackhole exploit kit.

There’s a real danger that if Twitter users have not properly protected their PCs, and unless they are warned of the risk, that many people will click on the links without suspecting that they are putting their computer and personal data at risk.

Follow me on Twitter at @gcluley for the latest information on this attack.


We have also seen versions of this attack using the wording “It’s about you?”. Here’s an example:

It's about you malicious tweet

Please take care folks.

Black crow image from Shutterstock.