Scammers auto-generate Twitter accounts to spread scareware
They use bogus accounts, real tweets, to dupe people into installing fake antivirus software
Computerworld - Scammers are increasingly using machine-generated Twitter accounts to post messages about trendy topics, and tempt users into clicking on a link that leads to servers hosting fake Windows antivirus software, security researchers said Monday.
The latest Twitter attacks originated with malicious accounts cranked out by software, said experts at both F-Secure and Sophos. The accounts, which use variable account and user names, supposedly represent U.S. Twitter users. In some cases, the background wallpaper is customized for each account, yet another tactic to make the unwary think that a real person is responsible for the content.
Tweets from those accounts are also automatically generated, said Sean Sullivan, a security advisor with the North American labs of Helsinki-based F-Secure. Some of the tweets exploit Twitter's current "Trending Topics," the constantly-changing top 10 list of popular tweet keywords that the micro-blogging service posts on its home page. Others are repeats of real tweets.
All the tweets include links to sites that try to dupe users into downloading and installing bogus security software, often called "scareware" because they fool users with sham infection warnings, then provide endless pop-ups until people pay $40 to $50 to buy the useless program.
"As fast as Twitter can shut down the accounts, [the scammers] create new accounts," said Sullivan. "Somehow they're getting around the CAPTCHA, but how they're doing it, whether with a bot or by CAPTCHA farms, we don't know."
CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) is the technology that uses distorted, scrambled characters to block automated registration of accounts. The defense, however, has regularly been subverted by hacker-built software, or by humans who contract to decipher the characters manually.
"There's nothing cookie-cutter about these accounts," noted Sullivan, who added that scareware scammers aren't afraid to spend money to make money.
There's a lot of the latter to be had. Last year, botnet researcher Joe Stewart of SecureWorks said there was evidence some hackers were making as much as $5 million a year shilling scareware.
"A lot of these scareware campaigns don't last 24 hours," said Beth Jones, a threat researcher at U.K.-based Sophos. "By the time a [distribution] site is blocked, they've already moved on to something else."
The servers hosting the phony security software behind the Twitter attacks are located in Toronto, said Jones, who said Sophos had been monitoring those systems since June.
Because the scareware tweets use a URL shortening service -- as do most tweets to crowd as much as possible into Twitter's 140-character limit -- it's impossible for users to tell exactly where the link will take them. Jones suggested that users access Twitter with a third-party application, such as TweetDeck, which offers a URL previewer to show the actual destination. Unfortunately, the scammers are using the Metamark shortening service; TweetDeck doesn't support previews for Metamark.
"Scammers are using Twitter because it's a new conduit for spreading their scareware," said Jones. "They go where the money is, which means where people are, and people are on Twitter."
By late Monday, Twitter had deleted the machine-generated accounts spreading scareware that Sophos and F-Secure had revealed, but some tweets with the same malicious URL were still available on the service.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts