The messages, which say grammatically challenged things like, "you even see him taping u," and, "your in this [Facebook.com page link] LoL,” contain links not to videos but rather to websites that launch a drive-by exploit via the user's browser.
“Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't currently clear, but the attack underlines the importance of not automatically clicking on a link just because it appeared to be sent to you by a trusted friend,” said Graham Cluley, senior technology consultant at Sophos, in a blog post detailing the mechanics of the issue.
Typically, the user is prompted to “download a new version of YouTube,” which, of course, is anything but. The program users are being invited to download is called FlashPlayerV10.1.57.108.exe, and is actually a version of Troj/Mdrop-EML, a backdoor trojan. If the trojan application successfully infects the PC, it will attempt to download additional attack modules onto the PC, as well as copy itself to any local drives and network shares to which the PC has access.
“If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password (make sure it is something unique, hard-to-guess and hard-to-crack) and revoke permissions of any suspicious applications that have access to your account,” Cluley said.
This is of course not the first, or the last, time that nefarious types have hitched a ride on direct messages in order to spread viruses and malware. Over the summer the BlackHole exploit kit was used to great effect. The messages came across asking, “It’s you on photo?” or “It’s about you?” followed by a URL. The link opened a web page hosting a version of Blackhole, which would then take stock of the system, finding its vulnerabilities, then targeting compatible malware to it.
In April, a new spam campaign promoted fake anti-virus software through hundreds of compromised Twitter accounts and thousands of tweets. The alerts read: “Windows Antivirus 2012 has found critical process activity on your PC and will perform fast scan of system files!” At the end of the 'scan', users were invited to install a fake anti-malware solution.
To be fair, Twitter has been trying to beef up its security. But even so, “In the same way that the popularity of social networking sites makes them a widely accepted tool for businesses to reach customers and elevate brand awareness, it also appeals to cybercriminals seeking a large pool of captive users to be targeted for malware and spam attacks,” said Christopher Boyd, senior threat researcher at GFI Software. He noted that Facebook, Twitter, Tumblr and Pinterest are particularly vulnerable.