Twitter Worm Targets Mobile Users Via Goo.gl Link Service4:13 PM EST Tue. Dec. 07, 2010
In the latest Twitter worm attack, mobile users are subjected to a large number of messages containing only an embedded shortened goo.gl link that appears on their feed. Twitter confirmed Tuesday that it is aware of the worm and is starting to take initial steps to address the problem.
"We're aware and have sent out password resets for affected users. We'll monitor the situation in case of further iterations," said a Twitter representative in a statement.
During the attack, users who unknowingly click on the shortened goo.gl links sent to their Twitter account are immediately directed to the compromised Web site of a legitimate French furniture company Artcan Developpement, before being redirected to a plethora of executable or php sites.
In addition, The Next Web notes that a circulating tweet advertising "Fllwrs," also contains an infected goo.gl link, however it is still unclear whether this particular link is used to spread the worm. Either way, users are advised to revoke its access to the Twitter site, by clicking "Settings" followed by "connections," "Find Fllwrs" and then "revoke access," should the "Fllwrs" post appear in their feed.
Whether the worm will further direct users to malicious sites remains to be seen.
So far, goo.gl links that end in "od0az" or R7f68" have been identified as carrying the worm, but that could change as the worm's authors create different iterations of the malware.
Some of the messages were sourced to legitimate Twitter account holders, indicating that the worm has gained traction and is spreading rapidly while infecting users' accounts. However, thus far, the worm is only spreading on mobile Twitter platforms. The goo.gl link service greatly reduces the size of links to accommodate Twitter's 140 character limit for posting.
"This one is pretty tough. Most Twitter users when they link, it’s a shortened URL. When you see a shortened URL, you have no idea where it's taking you," said Anup Ghosh, founder and chief scientist for security firm Invincea. "A lot of Twitter links are at least people you trust, the Twitter worm means that people are getting infected and then the posts come from their account. A Twitter post comes with a shortened URL and I actually believe it's going to be a good link. This is a problem."
Next: Twitter Regular Target Of Worm Attacks
Meanwhile, mobile Twitter users are advised to steer clear of any unknown goo.gl links that pop up in their feeds.
Twitter has been the target for a multitude of worms since its inception, in part because of its reliance on shortened links that often mask the origins of an infected site.
In September, the microblogging site was subjected to a massive a href="http://www.crn.com/news/security/227500393/twitter-com-shuts-down-onmouseover-attack.htm">Twitter worm that wreaked havoc on the site by retweeting users' posts, and sending pornographic and multicolored tweets from their accounts, which occurred when they rolled over the posts with a mouse. The attack exploited a cross-site scripting vulnerability that re-emerged in August with a Twitter site update.
And it will likely get worse before it gets better, experts say. Ghosh said that Twitter users could expect similar worm attacks in 2011.
"It’s the type of attacks that we're seeing now in 2010, the attacks are focused on exploiting on users' social networks. It's no longer about getting a user to go to a malicious site," he said. "In this particular case, there's not a lot Twitter can do about it, unless they were to server every single line, and somehow able to determine that the links are malicious."