| 25 |
| Jul |
Article from Rik Ferguson
Filed under: Web 2.0,malware | RSS 2.0 | TB | Tags: cybercrime, exploit, malicious code, malware, Twitter, web | 11 Comments
Only two days after Twitter had a major clear-out of spambot accounts, a new malicious tweet campaign is gathering speed, (currently at an under-the-radar speed of 33tph (tweets per hour)) using hundreds of accounts that appear to have been created just for this purpose.
The creation of the accounts actually predates Twitter’s clean-up operation in most cases, with the accounts having been registered on the 20th and 21st July in all the examples I looked at (I stopped looking quickly, the profiles got a bit repetitive to say the least). The domain in question, doiop.com is another of the URL shortening sites that are springing up in ever increasing quantities and it’s not the first time it has acted as an intermediary for infections.
The noteworthy social engineering elements of this attack revolve around the increasing sophistication of the automated tweeting. This time the scam accounts do not simply continuously post one of a selection of malicious tweets out to the twitter population at large, neither do they attempt to hook into currently trending topics to gain eyeballs. Both of those techniques are known and very visible to the Twitter admins, meaning the rogue accounts quickly get shut down.
Instead, they post messages directly to other Twitter users, ones that are not following them of course, in the hope that their randomly selected marks will be curious enough to click the malicious link. In an effort to make the fake accounts appear more legit, the malicious posts are widely interspersed with messages detailing which music the spambot is currently listening to, or other (legitimate) websites they are visiting. In many cases the non-malicious tweets outnumber the malicious ones on the page. A cursory glance at the fake profile may be enough for some to think it’s genuine.
The first redirection is to a URL on the domain {BLOCKED}.com. Interestingly, a quick squint at the root level of that domain reveals a single blog post advertising a “light Twitter bot that virtually anyone can use” (we detect this as HKTL_FAKEBOT). A second redirect happens from this domain to the malicious URL on clickbank.net, which has a colourful history of its own when it comes to being abused by online criminals.
The malicious payload of this attack is a rogue security application called “Registry Easy 5.1″. The program masquerades as a PC tune-up utility but gives extremely misleading results and needs a purchase before it’ll do any cleaning. We detect it as TROJ_FAKEAV.DAP. The domains involved are also blocked by the Smart Protection Network.
We’ve all been drilled and drilled into not opening suspicious and unsolicited email attachments. Now, with 92% of malware being delivered via the internet it’s way past time to apply those same good habits to suspicious and unsolicited links, whether received by email, instant message, Twitter or any other medium.
| Malicious Twitter Posts Get More Personal | Malware Blog | Trend Micro: Monday, 27. July 2009 um 6:19 pm |
|
|
[...] | by JM Hipolito (Technical Communications) One recent report by Rik Ferguson revealed that malicious Twitter posts are getting dangerously more customized, increasing the [...] |
|
| New malicious tweet run on Twitter » CounterMeasures « Jared Rimer’s Technology blog and podcast: Tuesday, 28. July 2009 um 6:00 am |
|
|
[...] New malicious tweet run on Twitter » CounterMeasures. [...] |
|
| Malicious Twitter Posts Get More Personal - All About Virus: Tuesday, 28. July 2009 um 8:02 am |
|
|
[...] recent report by Rik Ferguson said that malicious Twitter posts are getting dangerously more [...] |
|
| Your Home PC Helpdesk » Trend Micro Reports that malicious twitter posts get more personal: Wednesday, 29. July 2009 um 2:37 pm |
|
|
[...] recent report by Rik Ferguson said that malicious Twitter posts are getting dangerously more customized, increasing the [...] |
|
| Tom Hanson: Thursday, 30. July 2009 um 11:32 am |
|
|
Lol, the person who blurred out the names on the second page are really stupid! Underneath it shows the name of the user that the message was in reply too, so blurring out the other names was pointless lol |
|
| Rik Ferguson: Thursday, 30. July 2009 um 2:15 pm |
|
|
Hi Tom, thanks for that, yeah, that person are really stupid sometimes, but your eagle eye has led me to chastise them greatly. |
|
| Anti-Virus & Anti-Malware website. » Malicious Twitter Posts Get More Personal: Friday, 31. July 2009 um 1:07 pm |
|
|
[...] recent report by Rik Ferguson said that malicious Twitter posts are getting dangerously more customized, increasing the [...] |
|
| Twitter Trackbacks for New malicious tweet run on Twitter » CounterMeasures [trendmicro.eu] on Topsy.com: Monday, 31. August 2009 um 12:03 pm |
|
|
[...] New malicious tweet run on Twitter » CounterMeasures countermeasures.trendmicro.eu/new-malicious-tweet-run-on-twitter – view page – cached A Trend Micro Blog. Rik Ferguson and others blog about security related issues — From the page [...] |
|
| RegistryEasy Profiles Currently Scamming Twitter | Tekblog: Tuesday, 8. December 2009 um 1:05 am |
|
|
[...] On July 25, 2009 Rik Ferguson wrote an informative article in his Trend Micro Blog about Registry Easy: New Malicious tweet run on Twitter [...] |
|
| Twitter suspends hash gov20e accounts? | Tekblog: Tuesday, 8. December 2009 um 1:05 am |
|
|
[...] (Read Rik Ferguson’s informative article in his Trend Micro Blog : New Malicious tweet run on Twitter [...] |
|
Sunday, 26. July 2009 um 12:18 am
[...] This post was Twitted by PianoVis [...]