Update: 6/4/09 – Rogueware campaign on Twitter continues…

"PhishTube Broadcast" became a trending topic on Twitter today. The word “tube” is a big red flag to any Threat Researcher these days, so naturally I had to investigate it.

I clicked on the section inside of the trending topics group and ironically the links in the tweets looked fishy.

I started to investigate further and found that while there was definitely legitimate tweet traffic for the band Phish, several zombie accounts were posting hundreds of strange and highly suspicious messages. Eventually the links led me through several redirections and finally to PornTube malware websites.

Connections/Redirects leaving Twitter:


Clicking on any element inside of the PornTube page resulted in a run of the mill Adware/PrivacyCenter infection, but the interesting part of it all is that cyber criminals are starting
to target social networking sites more than ever. In this case they
took advantage of the open dialog on Twitter and essentially blended in
with the trending topics in order to effectively trick unsuspecting
users into clicking malicious links. This technique is strikingly
similar to the Blackhat SEO tricks criminals use on search engines to
place their malicious links at the top of search results.