FortiGuard Advisory (FGA-2008-32)

Twitter 'Direct Messages' pushes to adware site
2009.January.05

The Fortinet Global Security Research Team has investigated a series of malicious Twitter direct messages that push users to a site offering potentially unwanted software in the form of free games. Malicious "Direct Messages" (aka DM) circulating on Twitter leading unsuspecting users to a site offering potentially unwanted software in the form of free games.

The malicious messages "spamvertise" iPhone-related websites:
Wanna win the new iPhone?
It's so easy and cool, I love this thing!

Visit: http://iphone[REMOVED].info

Clicking on that link leads, via redirection, to a site known for its adware/spyware history:


Figure 1: Play for Free Now!


Freeze.com gained a controversial reputation due to the disputed morality of their business model, which consists in bundling several potentially unwanted components (thus generating money via the affiliation programs of those components) with games or applications such as screensavers. As for the security industry position, our colleague McAfee's Site Advisor ranks it as "red": http://www.siteadvisor.com/sites/freeze.com.

Upon clicking anywhere on the page displayed in Figure 1 above, users are prompted to download and install a file named "games.exe". In addition to a game, running this file launches the installation of various applications (Yahoo Toolbar, Smartshopper, Seekeen, Revelant Knowledge, Registry Power Cleaner, etc...), depending on the user's hardware and software configuration. Needless to say, each of these applications rewards Freeze upon each successful installation, via their own affiliation programs. While not a malware, "games.exe" is a potentially unwanted application; Fortinet offers its customers grayware detection for it under the name "Adware/Freeze." Since redirects are used, it is important to be reminded that such attacks can quickly shift shapes and lead a victim to alternative sites at any given time.

Twitter's direct messages carrying these links are emitted by Twitter accounts that have been compromised -- most likely in the recent Phishing Operation targeting Twitter. This two-stage operation (Phishing/Spamvertising) is a well documented trend of Spam 2.0 that has hit all the major Web 2.0 sites (MySpace, Facebook, YouTube, etc...) over the past two years. It leverages the trust that "Friends" on social networking have in each other: people are more likely to click on a link if it comes from a friend. This scheme efficiency ensures significant revenues in short time-frames (Further details about the whole process and the economics behind it were given at VB2007 Conference[1] , and are summarized here). It is rare however that compromised accounts are used to push adware/spyware installation, or malware (although it recently happened to Facebook with the infamous Koobface worm).

Twitter has been notified, and freeze.com has been informed that one of their affiliates is using compromised Twitter accounts to seed their bundles and increase his/her installation bonus.

Updates:

The same DM carrying rogue links is being reported by blogger "Jerell": http://www.twittertruth.com/?p=71
He reports the same link to lead to a different site, scamming users into subscribing to a mobile service charging them $6 per week. This is an effect of a geolocalization layer introduced by the gang using the compromised Twitter accounts. Because the mobile service most likely works only in the US, users whose IP is located in other countries are sent to freeze.com instead. Financial gains stemming from the initial Phishing operation are therefore optimized, and no potential victim is left aside.

Since the other link he reports (hxxp://helloiphones.com) leads to the same geolocalization layer, and the same end-points (winicane.com or freeze.com), it informs us more about the gang behind the whole operation. This same domain was used in a Facebook Spam 2.0 scheme back in July 2008:


Figure 2: When a user starts saying things thrice, her account most likely got compromised


It is not the gangs first try, and most likely not the last. Moving to Twitter may be a way for them to diversify their seeding vectors, or simply to reach as many people as possible using the most currently hyped Web 2.0 site. More than likely, a combination of both. Since this took place, the geolocalization redirects which were sending affected IP's to freeze.com have been changed and are currently pointing users to Google.

March 9, 2009:
The affiliate is no longer running the campaigns; they were blacklisted because of the incident.  W3i and its affiliates are aware that this is a serious issue.  According to W3i, they have been monitoring affiliates more closely since Fortinet first reported this incident.

Acknowledgement:

Jennifer Leggio, Fortinet, for providing the initial DM.

Notes:

[1] Menace 2 the Wires: Advances in the Business Models of Cybercriminals, Guillaume Lovet, VB2007, Vienna



Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.