Security Experts:

Twitter Direct Messages Used in Malware Attack

Some Twitter users are getting hit with a malware attack that is spreading through direct messages.

The messages take a variety of forms, noted Sophos Senior Technology Consultant Graham Cluley, including one where the recipient is told something about them has been posted on Facebook. In one iteration, the message says: "your in this" and includes a link to Facebook.  

"Users who click on the link are greeted with what appears to be a video player and a warning message that "An update to Youtube player is needed," Cluley blogged. "The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer."

Unfortunately for anyone who follows the directions, the file is not a version of Flash Player; it's actually a backdoor Trojan that can copy itself to accessible drives and network shares, Cluley wrote. Just how users' Twitter accounts are being compromised to send the malicious direct messages isn't clear, but the attack underscores why users should not automatically click on a link just because it appears to have come from a trusted source, he blogged.

Earlier this year, Barracuda Networks examined the underground market for Twitter accounts and was able to purchase thousands of accounts from eBay and other sites. The typical price for buying fake followers was $18 per 1,000 accounts. The average abuser, the company found, has 48,885 Twitter followers, and the average fake Twitter account is following 1,799 accounts.

"If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password (make sure it is something unique, hard-to-guess and hard-to-crack) and revoke permissions of any suspicious applications that have access to your account," Cluley wrote.

The report from Sophos follows a similar report from security firm GFI Software in which Twitter users received a direct message stating "lol ur famous now" that accompanied a link to Facebook. Just as in the case described by Cluley, the link leads to users being prompted to download a version of Flash Player. What users get instead is a Trojan called Umbra Loader, explained Chris Boyd, senior threat researcher at GFI.

"Dubious Twitter DMs aren’t going to go away anytime soon, and end-users should be cautious when sent messages regarding newly acquired fame – winding up in an Umbra Botnet is a form of celebrity one can do without," Boyd blogged. 

Subscribe to the SecurityWeek Email Briefing
view counter