A TREND MICRO BLOG

Jul 25

New malicious tweet run on Twitter

Rik Ferguson

Filed under: Web 2.0, malware | RSS 2.0 | TB | Tags: , , , , , | 11 Comments

Only two days after Twitter had a major clear-out of spambot accounts, a new malicious tweet campaign is gathering speed, (currently at an under-the-radar speed of 33tph (tweets per hour)) using hundreds of accounts that appear to have been created just for this purpose.

 

The creation of the accounts actually predates Twitter’s clean-up operation in most cases, with the accounts having been registered on the 20th and 21st July in all the examples I looked at (I stopped looking quickly, the profiles got a bit repetitive to say the least). The domain in question, doiop.com is another of the URL shortening sites that are springing up in ever increasing quantities and it’s not the first time it has acted as an intermediary for infections.

twitscoop1 

 

The noteworthy social engineering elements of this attack revolve around the increasing sophistication of the automated tweeting. This time the scam accounts do not simply continuously post one of a selection of malicious tweets out to the twitter population at large, neither do they attempt to hook into currently trending topics to gain eyeballs. Both of those techniques are known and very visible to the Twitter admins, meaning the rogue accounts quickly get shut down.

 

Instead, they post messages directly to other Twitter users, ones that are not following them of course, in the hope that their randomly selected marks will be curious enough to click the malicious link. In an effort to make the fake accounts appear more legit, the malicious posts are widely interspersed with messages detailing which music the spambot is currently listening to, or other (legitimate) websites they are visiting. In many cases the non-malicious tweets outnumber the malicious ones on the page. A cursory glance at the fake profile may be enough for some to think it’s genuine.

 

jessicabonit11 

 

The first redirection is to a URL on the domain {BLOCKED}.com. Interestingly, a quick squint at the root level of that domain reveals a single blog post advertising a “light Twitter bot that virtually anyone can use” (we detect this as HKTL_FAKEBOT). A second redirect happens from this domain to the malicious URL on clickbank.net, which has a colourful history of its own when it comes to being abused by online criminals.

babybot1

 

 

The malicious payload of this attack is a rogue security application called “Registry Easy 5.1″. The program masquerades as a PC tune-up utility but gives extremely misleading results and needs a purchase before it’ll do any cleaning. We detect it as TROJ_FAKEAV.DAP. The domains involved  are also blocked by the Smart Protection Network.

 

We’ve all been drilled and drilled into not opening suspicious and unsolicited email attachments. Now, with 92% of malware being delivered via the internet it’s way past time to apply those same good habits to suspicious and unsolicited links, whether received by email, instant message, Twitter or any other medium.


Bookmark
| More

This entry was posted on Saturday, 25. July 2009 and is filed under "Web 2.0, malware". You can follow any responses to this entry with RSS 2.0. You can leave a response here, or send a trackback from your own site.

11 Comments

  1. Sunday, 26. July 2009 um 12:18 am

    [...] This post was Twitted by PianoVis [...]

  2. Monday, 27. July 2009 um 6:19 pm

    [...] |   by JM Hipolito (Technical Communications) One recent report by Rik Ferguson revealed that malicious Twitter posts are getting dangerously more customized, increasing the [...]

  3. Tuesday, 28. July 2009 um 6:00 am

    [...] New malicious tweet run on Twitter » CounterMeasures. [...]

  4. Tuesday, 28. July 2009 um 8:02 am

    [...] re&#99ent report by Rik Ferg&#117son said that &#109alicio&#117s Twitter &#112osts are getting dangero&#117sly &#109or&#101 [...]

  5. Wednesday, 29. July 2009 um 2:37 pm

    [...] recent report by Rik Ferguson said that malicious Twitter posts are getting dangerously more customized, increasing the [...]

  6. Thursday, 30. July 2009 um 11:32 am

    Lol, the person who blurred out the names on the second page are really stupid! Underneath it shows the name of the user that the message was in reply too, so blurring out the other names was pointless lol

  7. Thursday, 30. July 2009 um 2:15 pm

    Hi Tom, thanks for that, yeah, that person are really stupid sometimes, but your eagle eye has led me to chastise them greatly.

  8. Friday, 31. July 2009 um 1:07 pm

    [...] recent report by Rik Ferguson said that malicious Twitter posts are getting dangerously more customized, increasing the [...]

  9. Monday, 31. August 2009 um 12:03 pm

    [...] New malicious tweet run on Twitter » CounterMeasures countermeasures.trendmicro.eu/new-malicious-tweet-run-on-twitter – view page – cached A Trend Micro Blog. Rik Ferguson and others blog about security related issues — From the page [...]

  10. Tuesday, 8. December 2009 um 1:05 am

    [...] On July 25, 2009 Rik Ferguson wrote an informative article in his Trend Micro Blog about Registry Easy:  New Malicious tweet run on Twitter [...]

  11. Tuesday, 8. December 2009 um 1:05 am

    [...] (Read Rik Ferguson’s informative article in his Trend Micro Blog :  New Malicious tweet run on Twitter [...]

Leave a comment

XHTML allowed tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam protection

© Copyright 2010 Trend Micro Inc. All rights reserved.
Legal Notice. Disclaimer