Kaspersky Lab malware researcher Nicolas Brulez said the original “goo.gl” links in the Twitter messages are redirecting users to different domains with a “m28sx.html” page. That page then redirects to a static domain with a Ukrainian top level address.
As if it was not enough, this domain redirects the user to another IP address which has been linked in the past to fake anti-virus distributions. ”This IP address will then do the final redirection job, which leads to the actual Fake AV site,” Brulez explained.
Once a user’s browser session is redirected to the malicious site, a warning message claims the computer is running suspicious applications and the user is encouraged to run a scan. As usual, the result is that the machine is infected with malicious threats and the scam is to trick the user into downloading a fake disinfection tool.