Saturday, January 22, 2011

“Twitter Targeted With Fake Antivirus Software Scam” plus 1 more

“Twitter Targeted With Fake Antivirus Software Scam” plus 1 more

Twitter Targeted With Fake Antivirus Software Scam

Posted: 21 Jan 2011 05:43 AM PST

Twitter has been resetting passwords for accounts that started distributing links promoting fake antivirus software in an attack that used Google's Web address shortening service to conceal the links' destination.

The links, masked by Google "goo.gl" URL shortener, bounce through a series of redirect URLs before landing on a Ukrainian top-level domain that then redirects to an IP address associated with other fake antivirus software scams, wrote Nicolas Brulez of Kaspersky Lab on a company blog.

Victims landing on the fake antivirus software page are prompted to scan their computer. If they approve the scan, the page asks if they want to remove threats from their computer: doing so starts the download of a bogus security program called "Security Shield."

Fake antivirus programs remain a pervasive problem on the Internet, with hundreds of variations. The applications target Windows users, and the programs are often installed by exploiting vulnerabilities in a computer's software. Once installed, the applications badger users to pay for a full version of the program. Many of the programs are totally ineffective at actually removing malware from a computer.

Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that "we're working to remove the malware links and reset passwords on compromised accounts."

"Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?" she wrote. "That's malware. Don't install."

Although Brulez classifed the attack as a worm, implying it spreads from account to account, Harvey said the issue was not related to a worm.

If the problem isn't spreading between Twitter users, that raises the question of how the attack began.

One possibility is that it is related to an attack on Gawker Media in December. In that incident, the e-mail addresses and passwords for registered users of the media company's Web sites were pilfered by a group called Gnosis. Twitter saw a raft of spam after the Gawker hack, as it is believed that many users used the same password for the Web sites, which made their Twitter accounts vulnerable.

Sunbelt Software, a security vendor now owned by GFI Software, provides detailed instructions of how to remove the Security Shield fake antivirus program in one of its forums.

This entry passed through the Full-Text RSS service — if this is your content and you're reading it on someone else's site, please read our FAQ page at fivefilters.org/content-only/faq.php
Five Filters featured site: So, Why is Wikileaks a Good Thing Again?.

Beware Goo.gl Fake Antivirus Worm on Twitter

Posted: 21 Jan 2011 02:51 PM PST

Twitter and Twitter users are being targeted by a malicious worm. The worm sends out tweets with a goo.gl shortened URL link directed to a rogue antivirus application. The attack demonstrates once again how URL shortening can be a Pandora's box as users click on links with no clue where they might lead.

A post on Naked Security by Sophos' Graham Cluley describes the threat. "Thousands of Twitter users are finding that their accounts have been tweeting out malicious links without their permission, pointing to a fake anti-virus attack," adding, "A quick search on the popular micro-blogging network finds many tweets from users containing no message other than a goo.gl shortened link (Google's equivalent to bit.ly or tinyurl), which itself points to a URL ending with "m28sx.html".

Attacks hiding behind shortened URLs are not new, and are also not technically challenging to execute. By their very nature, URL shortening services like goo.gl and bit.ly take cumbersome, long URLs and condense them down to a nice, short alias that can be used in its place. The concept makes it much easier to send some exceptionally long links, and is a necessity for a site like Twitter which caps messages at 140 characters.

Adam Wosotowsky, principal researcher at McAfee Labs, explains, "Shortened URL sites are not 100 percent malicious, so blocking the domain completely can cause false positives, which is something researchers try and avoid. Goo.gl is an example of a site associated with Google, so blocking the domain may be frowned upon by Google, allowing the spammer to continually abuse the site."

Wosotowsky elaborates, "As we stated in our 2011 Threat Predictions, we currently track and analyze--through multiple social media applications and all URL shortening services--more than 3,000 shortened URLs per minute. We see a growing number of these used for spam, scamming and other malicious purposes, and we expect to see shortened URL abuse invade all other forms of Internet communications."

Shortened URLs provide attackers a simple, and commonly accepted means of obscuring malicious links. McAfee recommends using its proprietary URL shortening service--mcaf.ee. McAfee's shortened URLs are scanned and filtered to weed out malware. Of course, you can't really control what URL shortening service other people use to send links to you.

To avoid falling victim to Trojans, drive-by downloads, and other malicious attacks hiding behind innocent-looking shortened URLs, try using a tool like Tweetdeck that offers an option to reveal the full-length link behind the shortened URL before visiting it.

This entry passed through the Full-Text RSS service — if this is your content and you're reading it on someone else's site, please read our FAQ page at fivefilters.org/content-only/faq.php
Five Filters featured site: So, Why is Wikileaks a Good Thing Again?.
Posted by at

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)