September 22, 2009, 9:13 AM — Scammers are increasingly using machine-generated Twitter accounts to post messages about trendy topics, and tempt users into clicking on a link that leads to servers hosting fake Windows antivirus software, security researchers said Monday.
The latest Twitter attacks originated with malicious accounts cranked out by software, said experts at both F-Secure and Sophos. The accounts, which use variable account and user names, supposedly represent U.S. Twitter users. In some cases, the background wallpaper is customized for each account, yet another tactic to make the unwary think that a real person is responsible for the content.
Tweets from those accounts are also automatically generated, said Sean Sullivan, a security advisor with the North American labs of Helsinki-based F-Secure. Some of the tweets exploit Twitter's current "Trending Topics," the constantly-changing top 10 list of popular tweet keywords that the micro-blogging service posts on its home page. Others are repeats of real tweets.
All the tweets include links to sites that try to dupe users into downloading and installing bogus security software, often called "scareware" because they fool users with sham infection warnings, then provide endless pop-ups until people pay $40 to $50 to buy the useless program.
"As fast as Twitter can shut down the accounts, [the scammers] create new accounts," said Sullivan. "Somehow they're getting around the CAPTCHA, but how they're doing it, whether with a bot or by CAPTCHA farms, we don't know."
CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) is the technology that uses distorted, scrambled characters to block automated registration of accounts. The defense, however, has regularly been subverted by hacker-built software, or by humans who contract to decipher the characters manually.
"There's nothing cookie-cutter about these accounts," noted Sullivan, who added that scareware scammers aren't afraid to spend money to make money.
There's a lot of the latter to be had. Last year, botnet researcher Joe Stewart of SecureWorks said there was evidence some hackers were making as much as $5 million a year shilling scareware.
"A lot of these scareware campaigns don't last 24 hours," said Beth Jones, a threat researcher at U.K.-based Sophos. "By the time a [distribution] site is blocked, they've already moved on to something else."
The servers hosting the phony security software behind the Twitter attacks are located in Toronto, said Jones, who said Sophos had been monitoring those systems since June.
Because the scareware tweets use a URL shortening service -- as do most tweets to crowd as much as possible into Twitter's 140-character limit -- it's impossible for users to tell exactly where the link will take them. Jones suggested that users access Twitter with a third-party application, such as TweetDeck, which offers a URL previewer to show the actual destination. Unfortunately, the scammers are using the Metamark shortening service ; TweetDeck doesn't support previews for Metamark.
"Scammers are using Twitter because it's a new conduit for spreading their scareware," said Jones. "They go where the money is, which means where people are, and people are on Twitter."
By late Monday, Twitter had deleted the machine-generated accounts spreading scareware that Sophos and F-Secure had revealed, but some tweets with the same malicious URL were still available on the service.
