Twitter users may be victims of direct message malware

Security analysts say that suspicious direct messages from Twitter friends with links to Facebook, which have been popping up lately, could be malicious "backdoor trojans."

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
2 min read

A friend of mine recently sent me a direct message on Twitter, it said "lol u didnt se them taping u" and had a link to Facebook. I hadn't remembered being taped in the past few days and I'd never seen my friend use this type of Twitter-shorthand, along with typos. To me, it was obviously spam.

I'm not the only one to be getting these spammy direct messages on Twitter that lead to bogus Facebook links. Apparently a lot of people have been complaining of these messages, according to Sophos analyst Graham Cluley who wrote about it on the Naked Security blog.

Different variations of the direct messages include, "your in this [link] lol" and "lol ur famous now [link]" (I got this one too).

Of course, I didn't click on the link. However, according to Cluley, those people that do click are led to a video player that says, "An update to Youtube player is needed." Users are asked to download what is supposedly called "FlashPlayerV10.1.57.108.exe," but Sophos antivirus products detect it as Troj/Mdrop-EML, which is a backdoor Trojan that can copy itself to accessible drives and network shares.

This is the spam I got via Twitter direct message. Screenshot by Dara Kerr/CNET
A Slate reporter wrote that he clicked on the bogus link and was directed to Facebook where he was told he had to log in to access an app. It's unclear if this link also contained some sort of virus, Trojan, or malware.

Twitter spam is nothing new. In the past, among other types of phishing, users got e-mails masquerading as Twitter support messages that then prompted recipients to click malicious links. Phishing has been so annoying to the social network that in April it announced that it was suing five popular spam tool providers in federal court.

Facebook has also had its fair share of spam and phishing. Last year, spam-artist Sanford Wallace was accused of breaking into 500,000 accounts to send 27 million spam e-mails on the social network. Even though Wallace surrendered to the FBI, Facebook users still receive copious amounts of spam. Last month, the social network announced a new attempt to curb the practice by launching a select e-mail address, phish@fb.com, where users can send the social network notices of phishing.

The source of Twitter's new direct message spam campaign is not yet known. It's also unclear if the social network is doing something to stop it. CNET contacted Twitter for more information and we'll update the story when we hear back.