Twitter worm hits goo.gl, redirects to fake anti-virus

[nsane.forums]

A fast-moving Twitter worm is in circulation, using Google's goo.gl redirection service to push unsuspecting users to a notorious scareware (fake anti-virus) malware campaign. At 8:45 a.m EST today, this Twitter search shows thousands of Twitter messages continuing to spread the worm.

According to malware hunters tracking the threat, the worm's redirection chain pushes users to a Web page serving up the "Security Shield" Rogue AV. The page is using obfuscation techniques that include an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Kaspersky Lab malware researcher Nicolas Brulez (see important disclosure) said the original "goo.gl" links in the Twitter messages are redirecting users to different domains with a "m28sx.html" page. That page then redirects to a static domain with a Ukrainian top level address.

As if it was not enough, this domain redirects the user to another IP address which has been linked in the past to fake anti-virus distributions. "This IP address will then do the final redirection job, which leads to the actual Fake AV site," Brulez explained.

Once a user's browser session is redirected to the malicious site, a warning message claims the computer is running suspicious applications and the user is encouraged to run a scan. As usual, the result is that the machine is infected with malicious threats and the scam is to trick the user into downloading a fake disinfection tool.

View: Original Article

[Lite]

Researchers have uncovered a new scam targeting Twitter users.

The operation is said to make use of the Goo.gl link-shortening service in order to hide the actual address of the attack site.

Attackers are believed to be using compromised Twitter accounts to post Tweets advertising various pages linked through the goo.gl service.

When users click on the links, they are directed through the link-shortening service to a third party page which launches the actual attack. The page then loads fake security alerts and attempts to trick the user into downloading fake antivirus software tools.

Twitter has said that it is working to remove the malicious links and reset passwords for the compromised accounts spreading them.

Such fake antivirus operations have long been a favoured tactic of attackers who are looking to infect users with malware or simply trick them into paying for ineffective software bundles.

Likewise, link-shortening services have come into fashion amongst scammers and malware operators in recent months as they allow a simplified method for hiding attack sites from direct links.

McAfee principal researcher Adam Wosotowsky said that the attack is most likely being run through machines infected by a social networking trojan such as the Koobface malware.

"The Goo.gl fake antivirus attack is not new, and is fairly simple to execute," researcher said.

"Shortened URL sites are not 100 percent malicious, so blocking the domain completely can cause false positives, which is something researchers try and avoid."

View: Original Article