Twitter malware warning: It's you on photo? or It's about you?
Security researchers have discovered a new Twitter scam campaign that is spreading quickly across the social network by claiming to be a photo of the victim. Please be warned: there is no photo. There are, however, individuals very interested in putting the Blackhole exploit kit onto your computer (note: this is not the first time Twitter users are specifically being targeted, and it certainly won't be the last).
The malware uses at least two different messages to spread. Twitter searches for "It's you on photo?" and "It's about you?" show that the scam is still circulating widely.
As you can see in the screenshot above, the malicious tweets follow this pattern (please note that the cybercriminals can change the scam's wording as they please):
@[username] It's about you? http://[domain]/#[username].html
@[username] It's you on photo? http://[domain]/#[username].html
I'm EmilProtalinski on Twitter. As such, if I was targeted by this scam, the message would look like this:
@emilprotalinski It's you on photo? http://[domain]/#emilprotalinski.html
@emilprotalinski It's about you? http://[domain]/#emilprotalinski.html
Sophos, which first discovered this threat, detects the malware at the end of the link as "Troj/JSRedir-HY" and "Troj/Agent-XES." The security firm says the script redirects to an IP address which in turn redirects to a .cu.cc domain to load executable code, ultimately taking you to a .su domain that contains the Blackhole exploit kit.
"Thousands of malicious links are being spammed out, targeting innocent users of the micro-blogging network," a Sophos spokesperson said in a statement. "There's a real danger that if Twitter users have not properly protected their PCs, and unless they are warned of the risk, that many people will click on the links without suspecting that they are putting their computer and personal data at risk."
Webroot says that in addition to this English-based attack, a Russian spam campaign, which started on July 23, appears to be the origin of this attack. This makes sense given that many of the domains appear to be .ru (and the redirection seems to take place through traffichouse.ru).
"The campaign is currently propagating in the following way – an automatically generated subdomain is spamvertised with an .html link consisting of the name of the prospective victim," a Webroot spokesperson said in a statement. "The cybercriminals behind the campaign are harvesting Twitter user names, then automatically generating the username.html files."
As a general word of caution, don't click on random Twitter links that are directed at you. If you aren't sure why someone is sending you a link, ask them.
See also: