Twitter Invitation Email Scam Spreads Malware Downloader

One of the latest email spams to impersonate Twitter tries to trick users into opening a malicious attachment by passing it as an invitation to the micro blogging service. Meanwhile, Twitter email change scams are still going around and send unsuspecting victims to websites packed with exploits.

Security researchers from Vietnamese antivirus vendor Bkis warn of a malware distribution campaign sending out emails that masquerade as official communications from Twitter. The rogue messages have spoofed headers to look as if originating from invitations@twitter.com and claim to be automated invitations sent at a friend's request.

"Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing? To join or to see who invited you, check the attachment," the spam reads.

The attachment is called "Invitation Card.zip" and contains a computer worm detected by Bkis as W32.Ziktwitters.Worm. "This virus [...] downloads a lot of other malwares including FakeAV and constantly distributes advertising emails as well as phishing emails to other users," Nguyen Cong Cuong, senior security researcher at Bkis, explains.

The author of this particular malware also seems to have a sense of humor. The researcher points out the decryption code used in the executable is ironically Google's informal motto "Don't be evil".

At the same time, the spam campaigns using Twitter's email template that we wrote about earlier this month are still circulating around, which suggests that they are successful in tricking users. According to a recent report, one such scam claims the email address associated with the Twitter account has been changed in order to lure users.

The spammed linked, which is spoofed to appear as pointing to a resource on twitter.com, actually redirects victims to a page loading an exploit cocktail. Before being attacked, the user is subjected to several tests to determine his browser, as well as the version of other potentially vulnerable software installed on his computer, like Java, Flash Player or Adobe Reader.

You can follow the editor on Twitter @lconstantin