A Twitter phishing scheme is spreading its wings, as the previous couple of phishing domains used by this scheme late last week have been taken down. So its operators have decided to put up multiple effective domains. Here are a couple of things to look for.

When you are using a browser like Google Chrome and you are visit twitter.com, the browser displays a green url indicator that the domain has been verified by an extended SSL CA. Now, with the CA breaches that we've seen in the past year (the Diginotar breach report was finalized this past week), that may not mean everything. But, in this case, here is how you might verify that you are using the legitimate twitter site:

This Direct Message attracts phish with a dramatic notice: "Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on here". There are a handful of messages in use, as the GFI guys mentioned here last week.

If you were to click on that bit.ly shortened link, your browser will be redirected through a click tracking service:
hXXp://client1.gtisolutions.co.uk/track?type=click=|||hXXp:// tivvtter.com/r1?zcms
And on to the unverified, carefully selected domain. At first glance, this one almost looks like the twitter domain itself:

Do not enter your username and password at this site. Also, there are at least a half dozen other domains that look fairly close to "twitter.com", like this one. These guys are using all of them with the same page and graphics to tempt you into entering your credentials. This theft can be a risk if you re-use your passwords across accounts. Also, there is often other personal information within these twitter accounts, like the user's email address used to create the Twitter account. So please keep an eye out for this sort of play on word recognition-domains.

I got the impression that lately the amount of phishing attacks via social media was not as great as we have seen in the past. But just as I logged in to Twitter today I noticed that I had received two direct messages, and they both had a very similar message.

Two days ago I received the first message, and when I tried to verify if it was a link spreading malware, or a phishing site, the URL was already inactive. Now when I received another one I wanted to look at it quickly, and at the time of writing the phishing site is still active.

    There is a bot activity in Twitter and at the moment is related to the new followers gaining only. What is happening is “profile me” bot is exploring all Twitpic hosted pictures replying to the authors with the same text phrase:

The bot started working on Friday, Dec 23 at 9 pm (GMT -05:00) with the highest peak on Saturday, 3 am the same GMT zone with 0.19% of all Twitter traffic.

In spite of the bot being used to gain followers and to promote porno content via bio user information, potentially it could be used for any other malicious purpose – like malware spreading via adding additional short URLs to the twits.

We’re monitoring it.

BARCELONA -- The annual Virus Bulletin conference kicks off here tomorrow with anti-malware researchers discussing a wide range of important issues facing the industry.

Researchers from Kaspersky Lab will have a major presence at the conference this year -- nine speaker slots! -- with talks on the cyber-crime underground, mobile (Android) malware, web application security and social network threats.

I'd like to call attention to a few of the important Kaspersky Lab presentations:

It seems I’m not doing anything other than write about malware on Facebook, but here goes again. As you have probably read or seen yourself on Facebook, there are quite a few applications pretending to show you a list of people who have viewed your profile. I think the most common one is the “Stalker Application”.

Today I saw something that I haven’t seen before – the applications have changed tactics and have now been localized, meaning the page and message which is distributed is in different languages. In my case the language is Swedish, since I’m from Sweden, and I presume that the worms are also localized in other languages.

As with the other cases we have seen, the user is tricked into executing a JavaScript in their browser; that script then loads another script from another domain. The bad guys use this setup to make it harder for antivirus companies to block these domains. This particular case is pretty funny – because of a poorly configured web server we managed to get a complete list of all the domains used in this scam, and they have now been sent to our analysts so they can be blacklisted.

We are currently investigating a new malicious campaign on Facebook mostly targeting French-speaking users. When visiting infected users’ profiles, you see the following:

Translation: Wow, it really works! Find out who is viewing your profile!

The various links that are used rotate quite fast and lead unwitting victims to a website that explains what they need to do. Here’s what it looks like:

Basically, there are 2 steps.

• The first one is to copy a Javascript code using CTRL+C
• The second is to visit Facebook.com, paste the Javascript in your address bar and press “Enter”.

Continuing our investigation on the Osama's death campaign, we were especially concerned about the potential distribution of malware on social networks, because of their speed of propagation. So we have been monitoring Twitter, getting some million tweets and a huge number of URLs too. No surprise here as during the last 24 hours the average was 4.000 tweets per second related to this topic. Here you can see how even Internet traffic was affected.

Analyzing these URLs, we found some interesting stuff.

The first one is a Facebook scam campaign posing as Osama's death video: