A new virus is spreading around Twitter using the Google ‘goo.gl’ URL shortening service, posing as anti-virus software. Affected users may see tweets with links in their timelines ending with “m28sx.html,” says Graham Cruley of security firm Sophos.
Clicking on the link will take the user a page that claims the computer is infected, and attempts to trick him or her into installing the malware-infected software as well as to pay for disinfection. Once downloaded, the virus then posts a tweet under the users account with the link in an attempt to infect his or her followers.
It is not immediately clear how the malware is gaining access to Twitter’s API to make these posts. Typically a user must authorize any external applications to gain access to post tweets. Cruley said he isn’t sure either.
“The natural suspicion would be that their usernames and passwords have been stolen,” he wrote in a blog post. “It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately.”
Twitter has acknowledged the issue. “We’re working to remove the malware links and reset passwords on compromised accounts,” Twitter’s security chief Del Harvey said in a tweet on Thursday night.
Sophos is calling the virus ‘Troj/FakeAV-CMG.’ The company’s software has been protecting its customers since January 12, Cruley said. Kaspersky is also offering protection in its own software as well.
This isn’t the first time Google’s URL shortener Goo.gl was the source of malicious activity. Last month, a worm made its way across Twitter posting links to a fake French furniture site. Clicking on the link would take the user to a site that would then execute code and help to propagate the worm.