Twitter users may be victims of direct message malware
Security analysts say that suspicious direct messages from Twitter friends with links to Facebook, which have been popping up lately, could be malicious "backdoor trojans."
A friend of mine recently sent me a direct message on Twitter, it said "lol u didnt se them taping u" and had a link to Facebook. I hadn't remembered being taped in the past few days and I'd never seen my friend use this type of Twitter-shorthand, along with typos. To me, it was obviously spam.
I'm not the only one to be getting these spammy direct messages on Twitter that lead to bogus Facebook links. Apparently a lot of people have been complaining of these messages, according to Sophos analyst Graham Cluley who wrote about it on the Naked Security blog.
Different variations of the direct messages include, "your in this [link] lol" and "lol ur famous now [link]" (I got this one too).
Of course, I didn't click on the link. However, according to Cluley, those people that do click are led to a video player that says, "An update to Youtube player is needed." Users are asked to download what is supposedly called "FlashPlayerV10.1.57.108.exe," but Sophos antivirus products detect it as Troj/Mdrop-EML, which is a backdoor Trojan that can copy itself to accessible drives and network shares.
A Slate reporter wrote that he clicked on the bogus link and was directed to Facebook where he was told he had to log in to access an app. It's unclear if this link also contained some sort of virus, Trojan, or malware.
Twitter spam is nothing new. In the past, among other types of phishing, users gotthat then prompted recipients to click malicious links. Phishing has been so annoying to the social network that in April it announced that it was in federal court.
Facebook has also had its fair share of spam and phishing. Last year, spam-artist Sanford Wallace was accused of to send 27 million spam e-mails on the social network. Even though Wallace surrendered to the FBI, Facebook users still receive copious amounts of spam. Last month, the social network announced a new attempt to curb the practice by , firstname.lastname@example.org, where users can send the social network notices of phishing.
The source of Twitter's new direct message spam campaign is not yet known. It's also unclear if the social network is doing something to stop it. CNET contacted Twitter for more information and we'll update the story when we hear back.