Researchers at F-Secure have witnessed a jump in the amount of automatically-generated Twitter accounts being used by people pushing rogue antivirus.
According to F-Secure, the Twitter accounts are being used to blast out tweets exploiting Twitter’s ‘Trending Topics’ – the microblogging service’s list of top 10 tweeted keywords. Others are copies of legitimate tweets.
“This particular tactic is something that we noticed over the weekend while looking into our own Twitter followers,” explained Sean Sullivan, Security Advisor at F-Secure’s North American Labs. “From there we examined twitter trends and “Jay-Z”. We saw that tweets were being re-tweeted but that the short URLs were being replaced with rather suspicious looking links. Examining those links took us to the rogue pages.”
Sullivan said he doesn’t no how long this has been going on, but that Twitter is fighting back by closing the malicious accounts when they are detected. However, new accounts are created to replace those.
Each tweet carries with it a link to a malicious site that tries to get users to download fake antivirus by hitting them with pop-ups declaring their machines infected. In some instances, the background wallpaper is customized for each account in an attempt to fool users into thinking the accounts are operated by an actual person.
“It does not require very much computing power (to create rogue Twitter accounts),” Sullivan said. “We do know that they must have a solution for the CAPTCHA required by Twitter. Perhaps it is being farmed out to a Chinese forum. Or perhaps they have a technical solution. The account names used are very German in “flavor” but many of the rogue gangs that we know of operate from Ukraine.”
“The rogue pages are not very “malicious” as far as attacking the computer’s OS,” he added. “These are using social engineering tactics and are mimicking Windows.”