Be careful when you open that Twitter Direct Message suggesting you've been caught in a Facebook video. It could contain links to a nasty surprise in the form of malware.
Specifically, one of the messages says, "your in this" and has a link to a Facebook video. Another message that works to accomplish the same goal says, "you even see him taping you...that's awful" with a link to the video.
"Users who click on the link are greeted with what appears to be a video player and a warning message that 'An update to Youtube player is needed.' The Web page continues to claim that it will install an update to Flash Player 10.1 onto your computer," said Graham Cluley, a senior analyst at Sophos.
Where's the Compromise?
Cluley said potential victims are invited to download a program called FlashPlayerV10.1.57.108.exe. He described it as a backdoor Trojan that can also copy itself to accessible drives and network shares.
"Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't clear, but the attack underlines the importance of not automatically clicking on a link just because it appeared to be sent to you by a trusted friend," Cluley said.
"If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password -- make sure it is something unique, hard-to-guess and hard-to-crack -- and revoke permissions of any suspicious applications that have access to your account."
Rob Enderle, principal analyst at the Enderle Group, said the issue boils down to trust.
"What happens is you get a note from somebody that you trust and you believe the note is from them. Often since you are using Twitter and you are multitasking, you click on it before you fully realize that it is likely malware. The damage, of course, is already done," Enderle told us.
Even though he knows better, Enderle admits that he sometimes clicks links he shouldn't. His security programs tend to catch the malware and rid his computer of it. His advice: If you get a message from a company that should know you and it opens with a formal greeting without your name, don't read it because chances are it's malware.
"The malware writers are social engineering," he said. "They recognize that we are all pressed with many things and we are conditioned to trust certain people. If we see something questionable from somebody we trust, we are still likely to trust it, particularly if we are multitasking."