Scareware Arrives on Twitter in Latest Attack

Be careful of links in Twitter. The latest malware attack on the social network links to a video hosted on a site that installs scareware as victims watch the video.

The attack may be linked to a previous phishing attack on Twitter that exploited the deceptive domain name “tvvitter.com” to obtain victims’ Twitter credentials. At the time, Sophos security expert Graham Cluley noted on his blog that careful users of a browser plug-in called LongUrl would have been able to see that the link was deceptive. But apparently many were fooled.

“They used the stolen credentials to post a message about finding a good video,” Yuval Ben-Itzhak, CTO of Web security company Finjan, told InternetNews.com. “If you clicked on the link … the criminals installed rogue anti-spyware called System Security.”

He added that the rogue software might look like it was fixing the problem, but actually did nothing except charge victims’ credit cards.

Criminals are making money from scareware. Finjan’s Malicious Code Research Center recently published a report, “Cybercrime Intelligence Report: Cybercrime pays generously,” that estimated that hackers can earn $10,800 a day from rogue anti-virus software, and that’s before they sell their victims’ credit card numbers on online criminal markets.

The news comes as IT departments are unprepared for the security threats posed by Web 2.0, according to reports. A Kaspersky researcher warned about Twitter links at Interop last month.

Ben-Itzhak agreed. “The problem is not just Twitter but any user-generated content site. If you let users upload content and include links, you can end up with malicious content installed on your machine.”

He had some advice for IT managers. “Organizations and corporations should be aware that Web 2.0 and user-generated content sites can add value and increase productivity, but at the end of the day, if they’re not protecting users from these attacks, they’re not protecting their own network.”

He said companies cannot rely on traditional anti-virus systems that use signature detection to block malware. “They need real time content inspection technologies,” he said. “It’s unlikely that anti-virus vendors will have a signature for something that someone just created and put on Twitter.”

It’s a real challenge, and many IT organizations are not up to the task. A recent report from Sophos said that nine out of ten at-work PCs fail basic security tests, such as being up to date on operating system patches.