Beware Goo.Gl Fake Antivirus Worm on Twitter

Twitter and Twitter users are being targeted by a malicious worm. The worm sends out tweets with a goo.gl shortened URL link directed to a rogue antivirus application. The attack demonstrates once again how URL shortening can be a Pandora’s box as users click on links with no clue where they might lead.

A post on Naked Security by Sophos’ Graham Cluley describes the threat. “Thousands of Twitter users are finding that their accounts have been tweeting out malicious links without their permission, pointing to a fake anti-virus attack,” adding, “A quick search on the popular micro-blogging network finds many tweets from users containing no message other than a goo.gl shortened link (Google’s equivalent to bit.ly or tinyurl), which itself points to a URL ending with “m28sx.html”.

Attacks hiding behind shortened URLs are not new, and are also not technically challenging to execute. By their very nature, URL shortening services like goo.gl and bit.ly take cumbersome, long URLs and condense them down to a nice, short alias that can be used in its place. The concept makes it much easier to send some exceptionally long links, and is a necessity for a site like Twitter which caps messages at 140 characters.

Adam Wosotowsky, principal researcher at McAfee Labs, explains, “Shortened URL sites are not 100 percent malicious, so blocking the domain completely can cause false positives, which is something researchers try and avoid. Goo.gl is an example of a site associated with Google, so blocking the domain may be frowned upon by Google, allowing the spammer to continually abuse the site.”

Wosotowsky elaborates, “As we stated in our 2011 Threat Predictions, we currently track and analyze–through multiple social media applications and all URL shortening services–more than 3,000 shortened URLs per minute. We see a growing number of these used for spam, scamming and other malicious purposes, and we expect to see shortened URL abuse invade all other forms of Internet communications.”

Shortened URLs provide attackers a simple, and commonly accepted means of obscuring malicious links. McAfee recommends using its proprietary URL shortening service–mcaf.ee. McAfee’s shortened URLs are scanned and filtered to weed out malware. Of course, you can’t really control what URL shortening service other people use to send links to you.

To avoid falling victim to Trojans, drive-by downloads, and other malicious attacks hiding behind innocent-looking shortened URLs, try using a tool like Tweetdeck that offers an option to reveal the full-length link behind the shortened URL before visiting it.