14 DAY TRIAL // Security researchers warn of new email spam campaigns that are masquerading as official Twitter messages that link to malicious websites. Some of these attacks direct users to phishing pages, while others to websites pushing computer trojans or scareware.
“Spammers seem to be on something of a Twitter rampage of late. They have sent out a wide variety of spammed messages recently that all appear to be from Twitter,” Trend Micro warns. The antivirus vendor presents two attacks that impersonate Twitter and abuse the company's standard email template.
One of the spam messages claims the email address associated with the user's Twitter account was changed, an action, which requires confirmation by visiting a special URL. The link included in the offending email directs users to a phishing site that tries to steal their Twitter login credentials.
The second attack masquerades as a security alert regarding an alleged Twitter password theft attempt. The email recommends that the user installs a so-called “secure module” that can be downloaded as a .zip archive from a link included in the message. According to Trend Micro, the archive actually contains a computer trojan (TROJ_FAKETWT.A), whose purpose is to install a scareware program (TROJ_FAKEAV.ADL).
The Vietnamese antivirus vendor Bkis has also intercepted this scareware distribution campaign and added detection for the threat as W32.TwittFake.Trojan. According to the company's malware analysts, the trojan drops several components into the Windows Temp folder, starts when any executable file on the system is opened, disables the Windows task manager and pops up fake security alerts. The fake antivirus program downloaded and installed by this malware is called “Protection Center.”
Trend Micro advises that even online pharmacy spammers have started using this Twitter-style email template to advertise unregulated pills. Meanwhile, we came across an attack using the Twitter theme as well, which would have been pretty convincing if it hadn't included an image of a scantly dressed woman.
The spam message we intercepted warns users they have a number of unread messages and instructs them to click on what appears to be a twitter.com link in order to view them. The link, however, redirects unsuspecting victims to a page riddled with exploits that ESET NOD32 Antivirus detects as JS/Exploit.JavaDepKit.A.
