Twitter worm hits goo.gl, redirects to fake anti-virus

Kaspersky Lab malware researcher Nicolas Brulez said the original “goo.gl” links in the Twitter messages are redirecting users to different domains with a “m28sx.html” page.  That page then redirects to a static domain with a Ukrainian top level address.

As if it was not enough, this domain redirects the user to another IP address which has been linked in the past to fake anti-virus distributions.  ”This IP address will then do the final redirection job, which leads to the actual Fake AV site,” Brulez explained.

Once a user’s browser session is redirected to the malicious site, a warning message claims the computer is running suspicious applications and the user is encouraged to run a scan.  As usual, the result is that the machine is infected with malicious threats and the scam is to trick the user into downloading a fake disinfection tool.

Source: ZDNet.com