Phishing campaigns step up with hits on Twitter and Fotolog this week

News by Dan Raywood

Warnings have been made about a worm that spreads through the photo sharing website Fotolog.

Warnings have been made about a worm that spreads through the photo sharing website Fotolog.

The worm, detected as FTLog.A by PandaLabs, spreads through the photo-blogging site by inserting a comment in the targeted user's page prompting them to click a link, supposedly pointing to a video.

If the user clicks the link, the system will ask for permission to download the worm, which is disguised as a DivX video codec.

Once installed, FTLog.A redirects the browser to a site with explicit content and a web page that asks users for their data in order to claim a (false) prize. If the user clicks 'Get Free Access' a setup.exe file is downloaded which, once run, installs the Media Pass plug-in. This also changes the browser home page and injects code into the browser to display pop-up ads, disrupting the user's browsing experience.

Luis Corrons, technical director of PandaLabs, said: "Cyber crooks are increasingly exploiting social networking sites to spread their creations as they offer a huge number of potential victims. We have already seen malicious code that exploits Facebook or Twitter. This time it is Fotolog's turn unfortunately."

Twitter has been the subject of phishing campaigns this week, with users reportedly receiving direct messages with shortened URLs that are prefaced with the message 'This you???' that leads to a fake Twitter login page.

Webroot's Andrew Brandt said: "The fake login page is hosted on a domain that points to a server in China. Other domains that are currently hosted on that same server's IP address have previously been implicated in spam campaigns touting cheap pharmaceuticals.

"It appears a lot of people may get tripped up in the rush to see what the link is all about. After you type anything at all into the phishing version of the Twitter login form, your browser is redirected to a hastily created page on Blogspot. Meanwhile, the tweets keep on coming."

Mary Landesman, senior security researcher at ScanSafe, said: "When Twitter accounts are phished, the 140 character limitation makes it a bit harder to convey the message. Using as few words as possible, try to include enough details about the message sent so folks can identify it, ended with a brief 'I'm sorry'. Don't ever include a link in that apology – after all, it was clicking on a link that got folks in trouble in the first place.

"This brings up another point. Instead of typing very brief generic messages when sending legitimate links, get in the habit of including some identifying info so that the recipient can tell that the human you really did intend to send it. For example, instead of sending 'Check out this funny video', always include more specifics like, 'Funny video - reminds me of that crazy guy we saw on the beach in the Bahamas'. If enough folks adopted this habit, it would become much easier to distinguish the really generic messages as being likely phishing/malware attacks."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews