Researchers at Kaspersky Lab have uncovered what may be the first attempt by attackers to use Twitter for scareware scams.
The attack begins with a message, or tweet, with the words “Best Video” laced with a malicious link. Those tricked into clicking the link are directed to a rogue Website with a YouTube video. Once on the site, users are hit with a malicious PDF file via a hidden Iframe. The PDF file hosts several different exploits targeting known bugs. If the user’s computer is vulnerable to any, the malware installs bogus security software.
“The scareware claims that programs are infected and therefore can’t run or be opened,” said Roel Schouwenberg, senior anti-virus researcher for Kaspersky Lab Americas. “There are a few different options for payments: a two-year license at $49.95, the lifetime license at $79.95 and you can also buy the ‘System Tuner’ for a one-time fee of $29.95. The lifetime license, System Tuner and lifetime premium support at $19.95 are all checked by default.”
Twitter first warned of the attacks on May 30, though early speculation about the attacks referred to it as a worm. However, there was never any proof of worm-like code, Schouwenberg said. Instead, he speculated that the attack most likely was tied to a phishing scheme launched in May.
“When we saw the phishing attack against Twitter about 1 to 2 weeks ago I wondered about its purpose,” he said. “It was pretty likely something ‘new’ was going to happen on Twitter, and this occurrence makes perfect sense. With the lack of self-replicating code and the recent phishing attack, it’s extremely likely these two events are connected.”
Though not specifically tested for UAC (User Account Control) prompts, the exploit and malware work on computers running Windows 2000, XP and Vista, he said.