Compromised Twitter Accounts Spread Links to Drive-By Downloads

By on December 7th, 2010 11:00 GMT

It appears that a new worm is spreading by hijacking Twitter accounts and using them to advertise links to a drive-by download website.

The attack starts with goo.gl shortened URLs being sent by users whose computers have already been infected by this new threat.

We’ve seen several of these links so far and they get changed as soon as Google suspends them for abuse.

One goo.gl URL pointed to a page hosted on a compromised website belonging to a French furniture manufacturing business.

This page takes visitors through several redirects and eventually lands them on a drive-by download site that tries to exploit vulnerabilities in outdated versions of Java and Adobe Reader.

According to various reports, in addition to the compromised .fr website, an .it one has also been observed, which ironically belongs to a firm offering computer repair services.

An interesting aspect about these websites is that both of them are entirely designed in Flash. We’re not sure at this point if this is just a coincidence or a pattern.

We’re also still waiting for a detailed analysis of the malware installed in case of successful exploitation. However, it’s pretty clear that it can hijack the Twitter accounts of people using the infected computers.

The rogue messages are sent through Twitter’s mobile site instead of the main Web interface, but this is probably done by attackers for convenience reasons.

The behavior of hijacking accounts like this is reminiscent of the Koobface social networking worm, which also targeted Twitter in the past. However, at this point this is only speculation.

According to TechCrunch, Twitter is aware of the attack and is actively resetting the passwords of the compromised accounts.

Users are advised to be suspicious of goo.gl links that are posted with no other message attached; although this behavior might change. We will update this article with more information about the nature of the malware, when it becomes available.

Comments