Twitter Worm Unleashes Fake AV Attack
Google's goo.gl link shortening service, as well as code obfuscation with RSA public key cryptography algorithm are spreading malicious links via a bogus antivirus campaign.
A Twitter worm is behind a new, fake antivirus campaign now in the wild.
According to Kaspersky Lab security researcher Nicolas Brulez, the new worm "is spreading fast, using the 'goo.gl' URL shortening service to distribute malicious links."
More Security Insights
- The Untapped Potential of Mobile Apps for Commercial Customers
- Get Actionable Insight with Security Intelligence for Mainframe Environments
- The 451 Group Impact Report: Skybox Enters Vulnerability Management Space
- Securing and Controlling Data in the Cloud
The attack, which was first spotted on Thursday, tweets a single, malicious link, with no additional message text, though all of the attacks list Mobile Web -- Twitter's app for generic mobile phones -- as the client used to post the tweet. Clicking on the malicious link sends users to one of various domains which feature an HTML page named "m28sx.html," which then redirects users to a static Web page with a Ukrainian top-level domain address. From here, users are redirected to pages which hawk fake AV, aka scareware.
Like all fake AV, "the user is invited to remove all the threats from their computer, and will download a fake antivirus application called Security Shield," said Brulez. Interestingly, the graphical user interface of the rogue AV software shows up in the operating system's default language.
Twitter is aware of the attack and is working to block it. On Thursday, Del Harvey, head of Twitter's Trust & Safety group, tweeted: "Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV? That's malware. Don't install." She added in a second tweet: "We're working to remove the malware links and reset passwords on compromised accounts."
Dark Reading has published an in-depth report on eliminating vulnerabilities in enterprise software. Download it now (free registration required).