Scareware Twitters

Twitter has been hitting the security news in recent months. The latest issue to hit the rapidly growing micro-blogging site is a malicious scareware campaign that utilizes Twitter's 'Trending Topics', a service which highlights current hot topics in the Twitter world.  

It’s not too hard to uncover the poisoned 'tweets'. We did a simple search for 'Swine Flu', one of today’s trends, and a suspect result readily turned up:

A number of things, when put together, caused us to be suspicious of this link.  Firstly, the image used by the account is a default one for new Twitter accounts.  And secondly, the tweet consisted of the exact Trend Topic phrase (in this case 'Swine Flu') followed by a small URL shortened by one of the many URL Shortening services out there, in this case 'a.gd'. Following this link redirects you to a page hosting the Scareware. The page itself constantly reloads, serving up different domains:

The first page displayed was a DOS-like warning – the concept of a DOS 'blue screen' being displayed in the browser is novel to say the least:

And following that was a prompt to download an executable file:

Executing that file installed and displayed the usual scareware, in this case 'Fast Antivirus 2009' - seeking your money to help 'clean' your PC:

In a sense this type of campaign is very familiar, we blogged about a scareware campaign using search engine results in September last year.  All that has really changed is the medium used to advertise the links. Twitter, with its users relying on the use of URL links, is ripe for such abuse, especially with the prevalent use of shortened URLs which obfuscate the final destination. It also appears the bad guys are using automatically generated bogus accounts to spread their tweets.

The wider point here is that when using Web services such as Twitter and other social networking sites, be on high alert, always.