In the latest Twitter worm attack, mobile users are subjected to a large number of messages containing only an embedded shortened goo.gl link that appears on their feed. Twitter confirmed Tuesday that it is aware of the worm and is starting to take initial steps to address the problem.
"We're aware and have sent out password resets for affected users. We'll monitor the situation in case of further iterations," said a Twitter representative in a statement.
During the attack, users who unknowingly click on the shortened goo.gl links sent to their Twitter account are immediately directed to the compromised Web site of a legitimate French furniture company Artcan Developpement, before being redirected to a plethora of executable or php sites.
In addition, The Next Web notes that a circulating tweet advertising "Fllwrs," also contains an infected goo.gl link, however it is still unclear whether this particular link is used to spread the worm. Either way, users are advised to revoke its access to the Twitter site, by clicking "Settings" followed by "connections," "Find Fllwrs" and then "revoke access," should the "Fllwrs" post appear in their feed.
Whether the worm will further direct users to malicious sites remains to be seen.
So far, goo.gl links that end in "od0az" or R7f68" have been identified as carrying the worm, but that could change as the worm's authors create different iterations of the malware.
Some of the messages were sourced to legitimate Twitter account holders, indicating that the worm has gained traction and is spreading rapidly while infecting users' accounts. However, thus far, the worm is only spreading on mobile Twitter platforms. The goo.gl link service greatly reduces the size of links to accommodate Twitter's 140 character limit for posting.
"This one is pretty tough. Most Twitter users when they link, it’s a shortened URL. When you see a shortened URL, you have no idea where it's taking you," said Anup Ghosh, founder and chief scientist for security firm Invincea. "A lot of Twitter links are at least people you trust, the Twitter worm means that people are getting infected and then the posts come from their account. A Twitter post comes with a shortened URL and I actually believe it's going to be a good link. This is a problem."