“Must-See” Tweets Point to Fake Antivirus

[Jack]

Experts have found a number of Twitter bots that are being utilized to advertise so-called “must-see” content. Users who click on the links are redirected to websites that serve a fake antivirus.

The link found in the posts appears to point users to a site called fuuut.tk. In reality, internauts are taken to detectoptimizersupervision.info, a site that hosts a piece of malware identified by GFI as Trojan.Win32.Fakeav.tri (v), part of the FakeVimes family.


According to researchers, the sites involved in this campaign are changed every six hours, newer versions of the scheme trying to lure Twitter customers with “young girls.”

“The links being spread at the moment are particularly nasty, using the Blackhole exploit kit to drop Winwebsec on the target PC, then redirect the end-user to another Fake AV site where a “24 hour roguelies in wait – Windows Antivirus Patch being the malicious file in question,” GFI’s Chris Boyd wrote.


Read more: http://news.softpedia.com/news/Must-see-Tweets-Point-to-Fake-Antivirus-264996.shtml

 

[Tom172]

This tactic is both so successful and almost impossible to stop. The only way is by word of mouth and even by the time people have been heard about it it's already to late.

 

[jamescv7]

On Twitter, most of the links were shorten l which an advantage to hidden the malicious links and users have no more hesitate to click it.

But thanks for sites providing to reveal shorten links on the original location.

 

[Jack]

I have stumble upon a lot of samples from the FakeVimes family and I've notice that most of samples have porn like name (Eg: xxx-porn.avi.exe or animal-sex.avi.exe) so I would say that most of the users got infected while they were searching for porn or redirected to porn sites
I've also noticed that each day around 1:00 PM ( Romania hour) a new variant it's released and that most of the attacks have as start point .in or .tk domains.

 

[Prorootect]

For now - with fuuut.tk I have tweeter warning, then if I wish - ww90.Cheapheadphonesnow.com spam page, safe for now ..

And with the link goo.gl/uqlbb for 'Hot schoolgirl'- on 'Big L' twitter page: I have Google url shortener warning page: 'This URL has been disabled' ; 'Note that goo.gl short URLs may be disabled for spam, security or legal reasons.'

So Big L tweeter site screenshot for your good feeling (you see you see?..):

.. and Big L shot, why not:

.. enhanced for free ..

.. so Big L Favorites you see:

..'Damn be black and proud lol' .. ' I miss you baby ..'

 

[Jack]

It seems like the guys who are behind Security Shield , are also the creators of FakeVimes as today they are serving on some sites a new variant for Security Shield. - http://malwaretips.com/Thread-Remove-Security-Shield-2012-from-your-PC

 

[Littlebits]

I have been involved in computer security since the days of Windows 95 and these rogue security products have been the most successful for infecting systems that I have seen out of all malware types. Most of the zero-day malware fall into this category. Most AV's just don't detect them but if you are an experience user is is very easy to avoid them altogether since they don't use vulnerabilities in web applications or drive-by installation, they have to be manually downloaded and installed by the users.

Knowing how to spot the fake alerts on websites is the only effective defense against them.

Thanks.