14 DAY TRIAL // This past weekend marked a sad moment in the history of the increasingly popular microblogging platform Twitter, as the first attack based on the scareware cybercriminal model was registered. Twitterers falling for a spam about a "best video," ended up having their computers silently exploited and infected with a rogue security application.
At the end of last week several websites and blogs reported yet another Twitter worm, which was attempting to trick users into clicking on a link to juste.ru associated with a "Best video" message. It was originally believed that users who visited the link were somehow compromising their accounts; however, this proved to be a much more sinister attack.
The incident attracted the attention of Kaspersky's senior antivirus researcher, Roel Schouwenberg, who immediately put on his cyber-gloves and started picking it apart. The page, at which the overly-curios users who click on the spammed link arrive, displays a legit YouTube embedded video file. "However that's not all that happens. Covertly a connection is made to another server that will result in a malicious PDF being downloaded. This PDF contains a flurry of exploits," warns the researcher.
Malformed PDF files, which rely on vulnerabilities in various Adobe Reader versions in order to remotely execute arbitrary code on computers, have become a common delivery method for malware. In this case, what is being downloaded and installed if the exploitation is successful bears the name of scareware or rogueware.
Scareware refers to fake security applications that bombard victims with warnings about fictitious threats affecting their computer. In order for these otherwise inexistent problems to be resolved, users are required to purchase a useless license for this similarly useless software. This is a for-profit cybercriminal model, which has been a real pest for the last couple of years. The particular unwanted application involved in this Twitter attack is called "System Security."
"This attack is very significant," notes Mr. Schouwenberg. "It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we've seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks," he explains.
Another important aspect of this incident is that, according to the antivirus expert, there was no worming component detected. This prompted him to speculate that this attack might be connected to a recent Twitter phishing campaign.
"About a week ago there was a pretty high-profile phishing attack targeted at Twitter. It was only going to be a matter of time before we would see the abuse of the stolen accounts one way or the other. Most likely the cyber criminals behind this attack simply used the stolen credentials of those phished accounts to tweet the messages. From my perspective this would also have been the more likely scenario rather than using a worm," Roel Schouwenberg concludes.
Twitter staff have confirmed the incident, suspended the compromised attacks and cleaned up the offending messages. "No personal information was compromised as a result of this attack," they announce.
