Kasperksy today discovered a new spam campaign on Twitter pushing fake antivirus software. Since it is still ongoing, the numbers for it are likely much higher than what the security firm first reported: 540 compromised Twitter accounts sent out 4148 tweets, linking to a total of 44 unique domains (most of them hosted on .tk and .tw1.su).
A quick search on Twitter shows that the scam is still rampant. Here are a handful of tweets I saw while writing this article, to give you an idea of what the spam looks like:
@[real Twitter user] " mystical " [link] proven anti-virus @[real Twitter user] " commercial " [link] proven anti-virus @[real Twitter user] " crisco " [link] proven anti-virus @[real Twitter user] " banc " [link] proven anti-virus @[real Twitter user] " meow " [link] proven anti-virus
The compromised accounts spammed up to 8 messages per second, with links sending users to the infamous BlackHole exploit kit (see links below). As you can see in the screenshot above, if you click one of these links, you're prompted with the following bogus warning: "Windows Antivirus 2012 has found critical process activity on your PC and will perform fast scan of system files!"
You are then told a fast scan is occurring (not true), at the end of which you are invited to install the aforementioned malware. Kaspersky says it tested various links and found that several variants were pushed to the infected machines.
At one point, the campaign stopped and then restarted with renewed gusto. I've been monitoring it myself on Twitter, and I can say that it's still not over. While it may look like it's dying down, the malware writers behind it can always give it new life by using old or new fake Twitter accounts.
As a general word of caution, don't click suspicious links on Twitter. If you can't tell whether a link is suspicious or not, don't click it anyway.
- Nuclear Pack exploit kit introduces anti-honeyclient crawling feature
- Compromised WordPress sites serving client-side exploits and malware
- Report: malware pushed by affiliate networks remains the primary growth factor of the cybercrime ecosystem
- Cryptome.org hacked, serving client-side exploits
- Web malware exploitation kits updated with new Java exploit
- Which are the most commonly observed Web exploits in the wild?