Hackers tweet, infect Twitter users with scareware
'Security nightmare' arrives; hackers use exploit kit to spread fake security software
June 1, 2009 02:07 PM ETTwitter Watch
- Super Bowl Sunday: 15 Twitter feeds to follow
- 2009: Social networks go mainstream
- Twitter rolling out new Lists feature this week
- As Google and Microsoft vie, Twitter could turn tweets into dollars
- Tweets rolling in as frozen Twitter thaws out
- Twitter tests Lists feature to group tweets
- Twit nits: 12 top Twitter annoyances
- What's your Twitter ROI? How to measure social media payoff
- The anti-Twitter: Woofer requires 1,400-character minimum
- Developers eager to see Twitter improve platform stability
Computerworld - The latest attack to hit Twitter is a "security nightmare" and marks the first time hackers have taken to using the micro-blogging site for profit, a researcher said today.
Unlike earlier cross-site scripting attacks on Twitter, the latest wasn't a worm, said Roel Schouwenberg, a senior antivirus researcher with Moscow-based Kaspersky Labs. Instead, it's something even scarier: The first instance of hackers serving up "scareware," fake security software that, once installed, nags users with so many alerts that some fork over $50 or more just to "register" the program and get rid of the warnings.
"This is just another scareware installer," Schouwenberg said, referring to the malware that's downloaded onto victimized PCs. "There's no worm component. But it's quite significant as it's the first time that Twitter's been used for a traditional type of attack."
Over the weekend, Twitter users began receiving tweets with the phrase "Best Video" and a link to a Russian domain. Although those who clicked on the link were directed to a site with a video, they were also served a malicious PDF document via an IFRAME on that site. The PDF, said Schouwenberg, contains a number of exploits, and tries each in turn. If it's able to compromise the computer using one of those exploits, the malware then installs phony security software.
The PDF appears to contain attack code from "LuckySploit," a relatively-new multi-strike hacker toolkit that uses malicious JavaScript, said Schouwenberg.
On Saturday, Twitter warned users of the tweets with the "Best Video" link, then later noted that it had suspended compromised accounts, but would restore then shortly after they'd been scrubbed.
Twitter's not able to remove any malware installed by the attacks, of course, leaving that chore up to users.
Schouwenberg's sure that Twitter's talk of cleaning accounts was a smokescreen, as unlike attacks in April, this one wasn't a worm. "There was no self-replicating code in the binary," he said. Instead, Schouwenberg believes that the malicious tweets were sent from Twitter accounts whose log-on credentials had been hijacked previously by basic phishing-style scams.
"When I first saw this Saturday night, I thought of the Twitter phishing attack, which was quite high profile," said Schouwenberg. "Phishing always has a greater purpose ... so when all of a sudden you see a new 'worm' but there's no worm component [in the attack code], it's clear that this was based on compromised accounts, rather than self-replicating."
Schouwenberg also found the links in the malicious tweets on multiple Web forums, giving credence to his theory that hijacked accounts were used to launch the scareware attack.
Twitter users should expect to see more such attacks, Schouwenberg said. "The whole idea of Twitter is to click on links," he said. "It's a security nightmare."
Read more about security in Computerworld's Security Knowledge Center.
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

