Twitter has been resetting passwords for accounts that started distributing links promoting fake antivirus software in an attack that used Google’s Web address shortening service to conceal the links’ destination.
The links, masked by Google “goo.gl” URL shortener, bounce through a series of redirect URLs before landing on a Ukrainian top-level domain that then redirects to an IP address associated with other fake antivirus software scams, wrote Nicolas Brulez of Kaspersky Lab on a company blog.
Victims landing on the fake antivirus software page are prompted to scan their computer. If they approve the scan, the page asks if they want to remove threats from their computer: doing so starts the download of a bogus security program called “Security Shield.”
Fake antivirus programs remain a pervasive problem on the Internet, with hundreds of variations. The applications target Windows users, and the programs are often installed by exploiting vulnerabilities in a computer’s software. Once installed, the applications badger users to pay for a full version of the program. Many of the programs are totally ineffective at actually removing malware from a computer.
Del Harvey, head of Twitter’s Trust and Safety Team, wrote on her Twitter account that “we’re working to remove the malware links and reset passwords on compromised accounts.”
“Did you follow a goo.gl link that led to a page telling you to install ‘Security Shield’ Rogue AV?” she wrote. “That’s malware. Don’t install.”
Although Brulez classifed the attack as a worm, implying it spreads from account to account, Harvey said the issue was not related to a worm.
If the problem isn’t spreading between Twitter users, that raises the question of how the attack began.
One possibility is that it is related to an attack on Gawker Media in December. In that incident, the e-mail addresses and passwords for registered users of the media company’s Web sites were pilfered by a group called Gnosis. Twitter saw a raft of spam after the Gawker hack, as it is believed that many users used the same password for the Web sites, which made their Twitter accounts vulnerable.
Sunbelt Software, a security vendor now owned by GFI Software, provides detailed instructions of how to remove the Security Shield fake antivirus program in one of its forums.