New malicious tweet run on Twitter

Only two days after Twitter had a major clear-out of spambot accounts, a new malicious tweet campaign is gathering speed, (currently at an under-the-radar speed of 33tph (tweets per hour)) using hundreds of accounts that appear to have been created just for this purpose.


The creation of the accounts actually predates Twitter’s clean-up operation in most cases, with the accounts having been registered on the 20th and 21st July in all the examples I looked at (I stopped looking quickly, the profiles got a bit repetitive to say the least). The domain in question, is another of the URL shortening sites that are springing up in ever increasing quantities and it’s not the first time it has acted as an intermediary for infections.



The noteworthy social engineering elements of this attack revolve around the increasing sophistication of the automated tweeting. This time the scam accounts do not simply continuously post one of a selection of malicious tweets out to the twitter population at large, neither do they attempt to hook into currently trending topics to gain eyeballs. Both of those techniques are known and very visible to the Twitter admins, meaning the rogue accounts quickly get shut down.


Instead, they post messages directly to other Twitter users, ones that are not following them of course, in the hope that their randomly selected marks will be curious enough to click the malicious link. In an effort to make the fake accounts appear more legit, the malicious posts are widely interspersed with messages detailing which music the spambot is currently listening to, or other (legitimate) websites they are visiting. In many cases the non-malicious tweets outnumber the malicious ones on the page. A cursory glance at the fake profile may be enough for some to think it’s genuine.




The first redirection is to a URL on the domain {BLOCKED}.com. Interestingly, a quick squint at the root level of that domain reveals a single blog post advertising a “light Twitter bot that virtually anyone can use” (we detect this as HKTL_FAKEBOT). A second redirect happens from this domain to the malicious URL on, which has a colourful history of its own when it comes to being abused by online criminals.




The malicious payload of this attack is a rogue security application called “Registry Easy 5.1”. The program masquerades as a PC tune-up utility but gives extremely misleading results and needs a purchase before it’ll do any cleaning. We detect it as TROJ_FAKEAV.DAP. The domains involved  are also blocked by the Smart Protection Network.


We’ve all been drilled and drilled into not opening suspicious and unsolicited email attachments. Now, with 92% of malware being delivered via the internet it’s way past time to apply those same good habits to suspicious and unsolicited links, whether received by email, instant message, Twitter or any other medium.

11 thoughts on “New malicious tweet run on Twitter

  1. Pingback: Twitter suspends hash gov20e accounts? | Tekblog

  2. Pingback: RegistryEasy Profiles Currently Scamming Twitter | Tekblog

  3. Pingback: Twitter Trackbacks for New malicious tweet run on Twitter » CounterMeasures [] on

  4. Pingback: Anti-Virus & Anti-Malware website. » Malicious Twitter Posts Get More Personal

  5. Tom Hanson

    Lol, the person who blurred out the names on the second page are really stupid! Underneath it shows the name of the user that the message was in reply too, so blurring out the other names was pointless lol

  6. Pingback: Your Home PC Helpdesk » Trend Micro Reports that malicious twitter posts get more personal

  7. Pingback: Malicious Twitter Posts Get More Personal - All About Virus

  8. Pingback: New malicious tweet run on Twitter » CounterMeasures « Jared Rimer’s Technology blog and podcast

  9. Pingback: Malicious Twitter Posts Get More Personal | Malware Blog | Trend Micro

  10. Pingback: Twitted by PianoVis

Leave a Reply

Your email address will not be published. Required fields are marked *