Twitter hit by fake AV worm

Powered by SC Magazine
 

Sends users to fake anti-virus download site.

Twitter was hit by a bug yesterday that sent malicious links without user permission.

Tweets contained no message other than a goo.gl shortened link (Google's equivalent to bit.ly or tinyurl) that pointed to a URL that ended with ‘m28sx.html'. Graham Cluley, senior technology consultant at Sophos, said that if you clicked on one of the links you were ultimately taken to a website that asked you to download a fake anti-virus. Sophos has detected the malware as Troj/FakeAV-CMG.

Del Harvey of Twitter's security team initially said that ‘"all signs point to the compromise being due to weak passwords" and encouraged users not to install ‘Security Shield' rogue anti-virus. She later confirmed the problem and said that the website is removing the dangerous links and resetting the passwords of compromised accounts.

Mikko Hypponen, CSO of F-Secure, commented on his Twitter feed that he was "seeing weird links being posted...could be some sort of a worm" and said to watch out for messages that only have one goo.gl link and nothing else. He later confirmed that this was a new Twitter worm that was spreading. He said: “Shows up as messages from your friends that only contain one goo.gl link and nothing else.”

He later said that the ‘m28sx' Twitter worm attack was over, as an IP address in the UK [91.200.240.228] needed by the worm was down. He said that it was "effective while it lasted".

“Interestingly, all of the offending Twitter messages examined by Sophos so far claim to have been posted by ‘Mobile Web' (Twitter's ‘lite' interface for generic mobile phone users) rather than users' normal clients such as Tweetdeck or Twitter for iPhone,” Cluley said.

“What is not yet clear is how the Twitter users found their accounts compromised in this way. The natural suspicion would be that their usernames and passwords have been stolen. It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


Tags
 
 
 
Top Stories
Time management tips for CIOs
[Blog post] How to get to the genba.
 
Making a case for collaboration
[Blog post] Tap into your company’s people power.
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  69%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  10%
 
Denial of service attacks
  6%
 
Insider threats
  11%
TOTAL VOTES: 1096

Vote