A while ago, I received a spam email. The email came from an obviously hacked attack, and contained nothing but a Web URL.
This usually means either a phony pharmacy spam or a computer virus. Since I am interested in these things, and since I keep virtual machines with redundant backups so I’m not too concerned about malware, I followed it. It lead to a GoDaddy site which redirected to a PHP redirection script living on a hacked Web site which led in turn to a fake antiviurs page–a page that throws up a phony virus “warning” and prompts the mark to download an antivirus program to “fix” the problem. The supposed “antivirus program” is, of course, actually malware. Pretty run-of-the-mill stuff. I reported it to the Web hosts and moved on.
Then, a few days later, I started seeing Twitter posts that were just a URL. These posts led to a hacked site…which led to the same redirector, which then led on to the same malware sites.
Then I started seeing more. And more and more and more. And still more.
I did a Google search. Just one of the hacked sites, an Indian site called
This is a huge scale attack, flooding Twitter with hundreds of millions of mentions of hacked Web sites that in turn redirect to a traffic handler which then sends visitors on to computer malware.
I did some more investigating, mapping out the patterns of redirections, visiting the sites again and again with my browser user agent set in different ways, watching what happened. After a while, I was able to build a map of the attack, which looks something like this:
And I found some really interesting things.
More technical details, as well as screen shots of the malware sites, under this cut. If you’re interested, clicky here!