Botnet Attack Spreads Virus Through Twittersphere

The Twittersphere came under a phishing attack Wednesday that sent direct messages to Twitterers. The messages, which appear to be sent by a follower, contained a link that asked the person to type in personal information and password.

Some of the messages ask Twitter users to click on a link to view a video. Others ask for personal information, including passwords. Amy Marshall (@amystweeting) based in Sigonella, Sicily, Italy wrote: "Twitter virus? I got an email saying I signed up for a twitter app subscription which I DID NOT! So I didn't click the link."

@andtwinsmake5 was sent more than seven phishing direct message links from followers. @benlucier wrote: "ifortune4u.com virus/phishing/spyware mess on Twitter right now. Lots of DMs from peeps. Be careful out there, wear your Twitter condom!"

ClickForensics (@ClickForensics) sent an apology to its followers after the virus gained access to its password and took over the company's Twitter account. "Twitter DM was attacked today. To all who received DMs from us ... apologies ... we did not DM our followers. We got lots of spam, too," the post read.

Steve O'Brien, ClickForensics' vice president of marketing, doesn't quite have a handle on the scope of the attack, but surmises it involves "hundreds of thousands of accounts" based on the chatter on Twitter and his experience.

At 11:12 a.m. PST O'Brian received a direct message from another corporate account he follows on Twitter. The message read: "I think I see you here in this video." It also provided a link. O'Brian clicked on the link, which took him to a page that resembled a Twitter log in page that asked for an account name and a password. When he entered the information, a fail whale page came up that read: Twitter is overloaded. Come back later.

Both Anchor Intelligence Product Marketing Manager Carrie Bourguignon, and Vice President of Product Management and Marketing Richard Sim say the virus was part of an organized effort to lift data. "Say Joe's computer has been infected with spyware," Bourguignon says. That spyware has logged the keystrokes for Joe's account credentials and uses them to access his various accounts, including his Twitter account. It is then easy for the fraudster to write a script to go through Joe's list of followers on Twitter and insert text into a direct message for all of those followers."

That text likely has a link to a malicious site that will deliver executable code to Joe's followers' computers through a virus. It occurs through a trusted relationship, so the infection rate rises for email spam or ads. The use of shortened URLs, such as those created through bit.ly and TinyURL, also contributes to the process because the shortened URLs easily mask the follower's destination, Bourguignon explains.

Joe's machine need not have been infected for this downward spiral to occur. A Twitter breach, if a fraudster hacked into Twitter, is another way for the person to have gained access to Joe's account.

"We saw similar activity when I was at Hotmail," Sim says. "Hacked accounts are a goldmine for perpetrators looking to distribute their infections. The 'trusted relationships' involved in email, Twitter, Facebook and others make the infection rates through these channels much higher than through spam from anonymous addresses."

Ironically, Twitter's API Guru Marcel Molina tweeted about adding a "Report as spam" button to twitter.com to now "also simultaneously block and report a user as a spammer via the API."

"Realize that no automated action is taken from the report being created, but know your request has been received," he writes.