Posted by: Barracuda Labs
Last night, a Purewire employee was directed to a Rogue AV website after clicking on a link in a tweet that matched a popular topic. Subsequent analysis uncovered an active Rogue AV propagation campaign that attempts to lure users to malicious websites via tweets that contain popular terms searched on Twitter.
The malicious tweets draw part of their word content from Twitter’s Trending Topics list; a screenshot of the list at the time of this writing.
Twitter Trending Topics
Searches that use some of the above topics lead to these tweets.
hxxp://securityland.cn/?uid=144&pid=3&ttl=31c48520c54
which acts as a traffic distribution system for a Rogue AV operation; the chain of redirections ends at one of the following Rogue AV distribution points.
All of the above sites serve javascript-based fake system scanners.
which attempt to compel the user to download Windows PC Defender, a brand of Rogue AV software. AV detections for the Rogue AV malware instance served are non-existent:
Users of the PWSS are protected from this campaign.