Huge Twitter spam campaign for fake antivirus discovered

A new spam campaign is pushing a fake antivirus via hundreds of fake Twitter accounts and thousands of tweets. Don't click on links just because someone tweeted them to you.

Kasperksy today discovered a new spam campaign on Twitter pushing fake antivirus software. Since it is still ongoing, the numbers for it are likely much higher than what the security firm first reported: 540 compromised Twitter accounts sent out 4148 tweets, linking to a total of 44 unique domains (most of them hosted on .tk and

A quick search on Twitter shows that the scam is still rampant. Here are a handful of tweets I saw while writing this article, to give you an idea of what the spam looks like:

@[real Twitter user] " mystical " [link] proven anti-virus @[real Twitter user] " commercial " [link] proven anti-virus @[real Twitter user] " crisco " [link] proven anti-virus @[real Twitter user] " banc " [link] proven anti-virus @[real Twitter user] " meow " [link] proven anti-virus

The compromised accounts spammed up to 8 messages per second, with links sending users to the infamous BlackHole exploit kit (see links below). As you can see in the screenshot above, if you click one of these links, you're prompted with the following bogus warning: "Windows Antivirus 2012 has found critical process activity on your PC and will perform fast scan of system files!"

You are then told a fast scan is occurring (not true), at the end of which you are invited to install the aforementioned malware. Kaspersky says it tested various links and found that several variants were pushed to the infected machines.

At one point, the campaign stopped and then restarted with renewed gusto. I've been monitoring it myself on Twitter, and I can say that it's still not over. While it may look like it's dying down, the malware writers behind it can always give it new life by using old or new fake Twitter accounts.

As a general word of caution, don't click suspicious links on Twitter. If you can't tell whether a link is suspicious or not, don't click it anyway.

See also: