Researchers at security provider Kaspersky Labs have discovered a widespread spam operation designed to promote the spread of a malicious antivirus application.
"Early today, Kaspersky Lab discovered a new ongoing spam campaign on Twitter. Hundreds of compromised accounts are currently spamming malicious links, hosted on .TK and .tw1.su domains, leading to Rogue Anti Virus softwares," writes Kasperky's Nicolas Brulez.
The operation is utilizing dozens of hijacked Twitter accounts to distribute malicious URLs which lead to the to the followers of the legitimate account holder.
"We started monitoring the campaign for a little less than two hours where a total number of 453 compromised Twitter account where being used to spam malicious links," Brulez reported.
The campaign employs the an exploit kit which can deliver a malware payload to a victim's device.
"The compromised accounts spammed up to 8 messages per second, with links redirecting users to the infamous BlackHole exploit kit," Brulez said.
According to Kaspersky Labs, users who click on the malicious URL are presented with a fraudulent Windows alert warning that their systems may be infected, and then instructs victims to proceed with a system scan.
"At the end of the 'scan', they are invited to install a fake Anti Malware solutions. During our tests, several variants were pushed to the infected machines, which were the same threat using different names," Brulez explains.
Kaspersky continues to monitor the operation, and Twitter users should be wary of shortened URLs even if they are in a message from a trusted contact.
"Our analysis is just a snapshot at a given time, and is lower than reality. The campaign is still ongoing as we publish our analysis. From our small monitoring, we can say that:
- The total number of unique Twitter account that were recorded is: 540
- The total number of unique domains used: 44
- The total number of recorded Tweets is: 4148"
More details on the attack can be found here: