Computer Security: Enormous Twitter Attack

A while ago, I received a spam email. The email came from an obviously hacked attack, and contained nothing but a Web URL.

This usually means either a phony pharmacy spam or a computer virus. Since I am interested in these things, and since I keep virtual machines with redundant backups so I’m not too concerned about malware, I followed it. It lead to a GoDaddy site which redirected to a PHP redirection script living on a hacked Web site which led in turn to a fake antiviurs page–a page that throws up a phony virus “warning” and prompts the mark to download an antivirus program to “fix” the problem. The supposed “antivirus program” is, of course, actually malware. Pretty run-of-the-mill stuff. I reported it to the Web hosts and moved on.

Then, a few days later, I started seeing Twitter posts that were just a URL. These posts led to a hacked site…which led to the same redirector, which then led on to the same malware sites.

Then I started seeing more. And more and more and more. And still more.

I did a Google search. Just one of the hacked sites, an Indian site called cowmamilk.com, had over 257 **MILLION** mentions on Twitter, which some quick investigating shows were coming from at least 500,000 Twitter accounts that were being used to blast the URL far and wide. 257 million searchable mentions for just a single attack URL!

This is a huge scale attack, flooding Twitter with hundreds of millions of mentions of hacked Web sites that in turn redirect to a traffic handler which then sends visitors on to computer malware.

I did some more investigating, mapping out the patterns of redirections, visiting the sites again and again with my browser user agent set in different ways, watching what happened. After a while, I was able to build a map of the attack, which looks something like this:

And I found some really interesting things.

More technical details, as well as screen shots of the malware sites, under this cut. If you’re interested, clicky here!