14 DAY TRIAL // Researchers from Panda Security warn of an ongoing scareware distribution campaign on Twitter which appears to be using both fake and hijacked legit accounts to spread malicious links.
The rogue messages read "a very good antivirus http://goo.gl/[censored]" and lead to an attack page which displays fake security alerts customized for each browser.
For example, Firefox users will see a fake alert page which is normally shown when a blacklisted URL is accessed.
For this purpose, Firefox implements Google's SafeBrowsing API, which is also used by Google Chrome and Google Web Search to block access to malicious links.
The message on the fake Firefox alert page is significantly different from the real one. It advises users that a quick malware scan is being performed.
When this is done, the page claims that several threats were found on their system and instructs them to download protection software allegedly recommended by Mozilla.
The application served for download is the ThinkPoint fake antivirus software, which is known to prevent users from accesing their desktops.
After a restart, the application warns that multiple infections were detected on the computer and asks users to acquire the full version in order to clean them.
People who fall victim to this scam and end up with ThinkPoint installed, should be able to bypass the desktop blocking feature by clicking the "Settings" button in the program's interface and checking the "Allow unprotected startup" option.
Then they can download a free security application like Malwarebytes' Anti-Malware or SUPERAntiSpyware, that do a particularly good job of removing such scareware programs.
A number of Twitter accounts involved in this campaign clearly belong to real people and some are even quite active on the website.
Most of the rogue tweets were posted on December 14, a day after a mass spam attack was launched on Twitter using accounts hijacked as the result of the Gawker compromise.
There is no clear evidence that this scareware distribution campaign is the result of the same breach, but it is certainly a possibility.