Early today, Kaspersky Lab discovered a new ongoing spam campaign on Twitter. hundreds of compromised accounts are currently spamming malicious links, hosted on .TK and .tw1.su domains, leading to Rogue Anti Virus softwares.
Here is an analysis of the infection at a given time. Keep in mind that it is just a snapshot of the infection, and that the numbers are actually lower than reality.
The compromised accounts spammed up to 8 messages per second, with links redirecting users to the infamous BlackHole exploit kit.
Upon following such a link, users received an alert about malicious activities on their computer and the need to do a fast scan of their system files
Here is the above mentioned fast system scan:
At the end of the "scan", they are invited to install a fake Anti Malware solutions. During our tests, several variants were pushed to the infected machines, which were the same threat using different names. Here is one of them:
Kaspersky Lab is still monitoring the campaign and here are a few statistics we would like to share.
We started monitoring the campaign for a little less than two hours where a total number of 453 compromised Twitter account where being used to spam malicious links. The campaign was divided in two. Links to .TK domains and links to .tw1.su.
The .TK TLD
153 unique users were actively sending links to .TK domains, with a count of 20 unique domains used. We recorded 656 messages sent.
The .TW1.SU TLD
300 unique users were actively sending links to .tw1.su domains, with a count of 21 unique domains used. We recorded 758 messages sent.
At this point, the domains weren't resolving anymore and the spamming slowed down until it stopped. The top domains was used in 95 Tweets.
Campaign Monitoring: Part 2
The campaign quickly restarted with only 3 unique .TK domains this time in a much more agressive way and is still ongoing.
The top domain from the first part of the campaign was present in 95 tweets only. Here is the number of Tweets we recorded for the new ones:
WI[redacted]K.TK 884 VI[redacted]DA.TK 890 RE[redacted]LOS.TK 929
This time, we recorded a number of 317 unique users actively spamming the new domains. 87 users were new and not used in the first part of the campaign.(230 overlapping from the first part of the campaign).
Our analysis is just a snapshot at a given time, and is lower than reality. The campaign is still ongoing as we publish our analysis. From our small monitoring, we can say that:
The total number of unique Twitter account that were recorded is: 540
The total number of unique domains used: 44
The total number of recorded Tweets is: 4148
The malicious samples we gathered were already detected by Kaspersky Lab and our customers were protected since the start of the campaign. Threats detected as: Trojan-FakeAV.Win32.Agent.dqs and Trojan-FakeAV.Win32.Romeo.dv
Many thanks to my colleague Vicente Diaz for helping monitoring the Malicious Campaign.