Large-scale hack attack against Twitter?

I woke up late this morning, had breakfast, made some tea, checked my Twitter feed (as one does), and in amongst all the pictures of cats, half-naked selfies, BDSM porn, and links to articles about neurophysiology and evolutionary biology that make up my Twitter feed, I noticed something very odd. About 15% of my Twitter followers were posting things that look like this:

And imagine my surprise when one of the accounts posting these types of messages belonged to me; namely, my Promiscuity Keepers Twitter feed, where I post links to articles about sex and sexuality.

So it appears there’s a pretty large attack going on against Twitter right now. I am not sure if the attack is simply a brute-force hack against account passwords, or if the hackers have somehow penetrated Twitter itself and made off with lists off accounts and (hashed? hashed and salted? exposed?) passwords. Because of the suddenness and number of accounts compromised, my gut says it might be an attack on Twitter’s servers directly, rather than a brute-force attack against individual accounts. (The password I use is, of course, a long string of letters and numbers, rather than, say, the word “password” or “secret” or the other hideously insecure passwords people often use.)

I logged in to my Twitter account (after some faffing with Twitter’s “forgot my password” link) and discovered something interesting: The hackers are authorizing malicious Twitter apps with read/write access, presumably to mass-broadcast spam to many Twitter accounts at once.

Resetting a password on a hacked account without revoking access to these malicious apps will allow the hackers to retain control of the account. It’s possible the hackers are using these malicious apps to gain control of the hacked accounts directly, by forging permission to allow the account to authorize the apps.

In any event, the Spamvertised links all point to a Web site hosted by a German Web hosting firm called plusserver.de. It’s a Russian-language file-sharing site, and each of the Spamvertised links claims to be a driver package for some model of computer.

Naturally, I downloaded one of these files, then uploaded it to Virustotal for analysis. And, unsurprisingly, it’s malware:

InstallMonster is a malware package designed to cheat online advertisers out of money for the virus writers. Whenever a user of an infected computer clicks on certain Web links, the malware changes the link in such a way as to make it seem like the click came from a revenue sharing, advertising, or affiliate marketing site, and the malware writer receives a small commission for the click.

The malware is sold openly from a Russian-language site called getfile.eu, hosted by a Web hosting outfit in Cyprus called hostzealot.com.

So to recap: Attackers are gaining access to large numbers of Twitter accounts and using them to spam malware. The malware is an off-the-shelf package designed to allow its users to profit from click fraud; the malware authors operate a site hosted on hostzealot.com. The compromised Twitter accounts have read/write access granted by malicious Twitter apps. They’re being used to spread links to the InstallMonster malware, probably not from the malware’s actual authors, but from people who’ve bought a copy of InstallMonster and customized it to direct money to them. (That’s increasingly the way the malware industry works: people create turnkey malware kits which they then sell to other criminals.)

IF YOUR TWITTER ACCOUNT IS HACKED: It’s not enough just to change your password! You must also go to your Apps control panel in your profile and revoke access to the malicious apps!