14 DAY TRIAL // Security researchers from Kaspersky Lab warn that a new worm rapidly spreading on Twitter spams rogue goo.gl URLs that direct users to fake antivirus distribution sites.
The spammed links take users through a series of redirects until landing them on an obfuscated scareware attack page.
According to Kaspersky Lab's Nicolas Brulez, the obfuscation is based on a JavaScript implementation of the RSA encryption algorithm.
"RSA is used as an obfuscation technique more frequently than any other, since the private key is available in the JavaScript page. The modulus 'N' seems to be 26 bits in length most of the time, which is ridiculously small," the researcher notes.
The fake AV variant served in this attack is called "Security Shield" and one interesting aspect about it is that its graphical user interface is localized depending on the language of the operating system.
"During my test, a French version of Windows XP was used, hence the French translation of the interface," Mr. Brulez says.
This stands to show the increasing efforts scareware authors make so that their creations appear as professional and as legit as possible.
In addition to localization, we've seen scareware schemes that offered live technical support provided by real people.
This latest attack continues a series of Twitter spam campaigns recorded in recent months, after a long period when the malicious activity on the microblogging platform seemed to have calmed down.
In December we reported a similar scareware distribution campaign that used compromised Twitter accounts to spam malicious goo.gl short URLs. More recently, the site was hit by a big wave of "free iphone and ipad" spam runs abusing the bit.ly URL shortening service.
People who fall victim to such scareware scams and end up installing a fake antivirus application, can download a free security program like Malwarebytes' Anti-Malware or SUPERAntiSpyware which do a particularly good job of removing these threats.