Targeted Attack Designed to Infect Both Macs and PCs.

UPDATE (25th June): Guy Kawasaki has stated that his Twitter account was not compromised, the malicious tweet came from a feed that Guy’s account is subscribed to automatically post. The feed comes from NowPublic, a user generated news feed. According to the Wall Street Journal Michael Tippett, co-founder of NowPublic, responds, pointing out that Mr. Kawasaki’s auto-published tweets were from an unmoderated feed, not one of the moderated ones that the startup also operates.

 

That’s fine for Mr. Kawasaki’s personal peace of mind, but you have to ask yourself, with that many followers, is it sensible  to auto post unmoderated feed content? Is this going to happen again, with a more believable tweet?

________________________________________________________________________

Guy Kawasaki, the well-known venture capitalist and columnist was the victim of what appears to be a very targeted attack on Twitter today.

 

A single malicious tweet was inserted into Mr. Kawasaki’s profile without his knowledge

guytweet

 

 

The obfuscated link seemed incongruous on Mr. Kawasaki’s profile only because it was using a different URL shortening service to the one he normally uses. Other than that he is a person who regularly posts many links, so his 139,000 followers will be very tempted to follow them and that’s exactly the kind of thing that makes this sort of attack attractive to cybercriminals.

 

 

In this case, following the link would be a Very Bad Idea, because it will lead you to a malicious website designed to infect both Macs and PCs with a DNS changing Trojan which at the time of writing has low-to non-existent detection rates by security vendors (although Trend Micro customers would already have been protected from visiting the known malicious site using our Smart Protection Network).

 

 

The first site you land at is below

first-link

Click to enlarge

 

 

The image with the blue text shows how many people have followed this link, it would normally display an image designed to look like a media player window, but the site has been hit so hard that the bandwidth limit for the image server has been reached (note the text is in Russian and English)

 

If you click the media player to view the video, you are redirected here:

second-link

Click to enlarge

 

 

 

Again, the image server bandwidth has been used up indicating how many other people have passed this way, but it should look like that media player again… You click it and hit paydirt!

final-landing-page

Clcik to enlarge

 

 

There it is, the video you have been waiting for, but wait, you need to download an updated Codec… (sound familiar yet?)

 

 

Check out the TrendLabs malware blog for an in-depth analysis of the code involved in this interesting dual-platform attack.

7 thoughts on “Targeted Attack Designed to Infect Both Macs and PCs.

  1. Pingback: Targeted Attack Designed to Infect Both Macs and PCs. » CounterMeasures

  2. Pingback: Another Sex Tape, Another Malware Attack – Security Threat Research News

  3. Pingback: Another Sex Tape, Another Malware Attack | Trend Micro | Malware Blog

  4. Pingback: Guy Kawasaki's Twitter account compromised; used to deliver malware | The Apple Core | ZDNet.com

  5. Pingback: Twitter Links Infecting Both Macs and PCs With Virus? | My Philly Network

  6. Pingback: Guy Kawasaki's Twitter account hijacked, pushes Windows and Mac malware | Zero Day | ZDNet.com

  7. Pingback: Targetted Attack Designed to Infect Both Macs and PCs. » Counter Measures « Jared Rimer’s Technology blog and podcast

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>