Anatomy of a Twitter malware scam

When a funky Direct Message showed up in my inbox, I had to investigate -- and narrowly missed getting infected with malware. (Kids, don't try this at home.)

By  

So I was innocently surfing the Interwebs a few weeks back, fighting for truth, privacy, and the Internet way, when I got an email alerting me to a direct message from a friend I hadn’t spoken to in years.

It was strange on several levels (and so is my friend – but I digress). The first strange bit was the message itself, which made no sense: “heh u didn’t see them tapping u.” OK, fine, whatever.

 

 

Strangeness no. 2: It showed an alleged Facebook link. Rolling over the link with my cursor showed a truncated URL using Twitter’s T.co service at the bottom of my browser – which would be OK, except that the URL didn’t start with http or https.

Something smelled a little phishy to me. So, being stupid, I clicked on it. That took me to the following fake Facebook login page.

 

 

Gee Toto, I don’t think we’re on Facebook anymore. The URL at the top of the screen leads to a subdomain at some site calling itself Twitterwink.info. Immediately it becomes clear that whoever is running this scam a) isn’t very bright, and b) is hoping I am also not very bright.

OK, I thought, this is simple enough: It’s a phishing scam designed to steal my Facebook login credentials. So I entered some gibberish into both fields, just to see what would happen. (I told you I was stupid.) Here’s what came up next:

 

 

So this was a faux Facebook page with a faux YouTube video embedded in it, which was really just a come-on for me to do a drive-by install of what would undoubtedly be some nasty bit of malware. At this point I stopped clicking.

Even I am not that stupid.

I give the spammers credit for attempting to make it look like a real Facebook page. But none of those ads on the side were live – they were just graphics. And “Youtube” is usually spelled with a capital T in the middle.

But I had to wonder: What the hell is a Twitterwink? So I visited that page and found this:

 

 

Yeah, I don’t know what that’s supposed to be, either. The site was registered to a “Jill Nelson” of “Beaverly Hills, CA.” But the real story was in where it was hosted: 2x4.ru, a Russian Web host with a less-than-pristine reputation, to put it mildly, for hosting malware and other criminal activities.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question