The email that begins the attack looks like authentic communications from Twitter with a link ostensibly to twitter.com.
However, the link provided by the attacker does not actually link back to Twitter, but to a Google Groups page where the malware is currently hosted. The use of Google Groups to distribute malware has been a continuing trend since zvelo first blogged about it last month.
Virus Total shows a moderate detection rate of 21 out of 41 anti-virus companies that currently detect this threat. For users whose anti-virus software does not detect the threat, a download will result in an infection with the rogue anti-virus malware. The malware launches a “Protection Center,” which runs a fake anti-virus scan ostensibly revealing the machine is infected by a slew of viruses. The user must activate the software to remove the bogus infections, handing their credit card info over to cyber criminals.
The cybercriminals behind this attack make excellent use of social engineering tricks to fool users into installing this malware. They use the topic of stolen Twitter account credentials to get the users’ attention, then link to Google Groups to make users feel comfortable with the download, and finally use convincing fake anti-virus scans to make the user believe their machine is infected.
zvelo is flagging these infected Google Groups pages as Compromised.