Twitter has been resetting passwords for accounts that started distributing links promoting fake antivirus software in an attack that used Google's Web address shortening service to conceal the links' destination.
The links, masked by Google "goo.gl" URL shortener, bounce through a series of redirect URLs before landing on a Ukrainian top-level domain that then redirects to an IP address associated with other fake antivirus software scams, wrote Nicolas Brulez of Kaspersky Lab on a company blog.
Victims landing on the fake antivirus software page are prompted to scan their computer. If they approve the scan, the page asks if they want to remove threats from their computer: doing so starts the download of a bogus security program called "Security Shield."
Fake antivirus programs remain a pervasive problem on the Internet, with hundreds of variations. The applications target Windows users, and the programs are often installed by exploiting vulnerabilities in a computer's software. Once installed, the applications badger users to pay for a full version of the program. Many of the programs are totally ineffective at actually removing malware from a computer.
Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that "we're working to remove the malware links and reset passwords on compromised accounts."
"Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?" she wrote. "That's malware. Don't install."
Although Brulez classifed the attack as a worm, implying it spreads from account to account, Harvey said the issue was not related to a worm.