A currently ongoing malware serving campaign across Twitter, is continuing to abuse the momentum offered by Twitter's trending topics in order to trick users into visiting bogus exclusive video sites and infect them with malware.
The campaign, spreading since last week, is relying on a growing number of automatically registered bogus Twitter accounts, which combine trending topics and hashtags with custom messages and pre-defined Tinyurl links, all leading to identical fake codec which is droping three different malware samples.
Let's dissect their activities, and find a common pattern of exploitation.
This very latest campaign once again demonstrates that malicious parties do not maintain a static list of potentially dangerous keywords, in fact, thanks to the dynamic nature of today's Web, they serve malware in real-time by automatically syndicating the Web's buzz and mixing it with malicious content hosted on legitimate services whose high pageranks ensure the lowest possible time frame for having their content crawled by public search engines.
The tweets are generated by using popular hashtag or Trending topics combined with their campaign message and a relatively static Tinyurl link.
Here are some of the topics currently used in the campaign:
- Shocking video today, Headline news video, Shocking news theme
- Airplance crashes theme, for instance, Jumbo Jet 747 on fire, 280 deaths, Little Cessna crash in Vancouver, Airbus A330-200 Crash Video, Young childred killed in car crash, Terrible car crash in Fresno, CA, 15 deaths, online video, Airbus A330-200 Crash Video, AA AIRBUS A340 CRASH in Auburn, 189 fatalities
- Celebrities in front of shopping mall theme
- Rape theme - Raped Tonight by 20 skinheads - HEADLINE News Video, Pedophile raped over 580 children, Rihanna Raped Tonight by 20 skinheads in Maryland State. VIDEO
Upon following any of the links, the users are redirected to a Mal/FakeAV-AY (streamviewer.40030.exe) serving site attempting to trick the visitors with a common social engineering theme, the lack of required codec in order to view the video.
Cybercriminals adapt pretty fast, for instance, last week's campaign was using the bit.ly URL-shortening service which does cross-check submitted URLs for possible maliciousness using community-driven databases.
The effectiveness of this common sense technique is best described with the "Warning - this site has been flagged by SURBL and may contain unsolicited content." message served for the very same domain that the malicious parties are now freely redirecting to through TinyURL.