Updates at the foot of the post.
There’s a worm spreading rapidly across twitter. It appears to be a tweet with no text but just a URL. A twitter search highlights the extent of the problem.
F**k it, we'll do it live!
Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.
The URL appears to be identical: http://goo.gl/R7f68 on every tweet but it’s highly likely that it will alter itself at some point.
What we’ve been able to learn is that the worm seems to be either creating or using a number of spam/newer accounts – that said a few influentials have also tweeted the URL. The results of the search only go back about 6 hours, so it hasn’t been around that long and appears to stem from mobile.twitter.com.
More interesting is this screenshot from a tool that lets you check the full URLs behind short ones. It apparently redirects to http://artcan-developpmement.fr/tw.html. Very odd.
Update: Nils Geylen posted the following in the comments section, highlighting that attackers look to have compromised a legitimate French furniture website and then loaded forwarding scripts to take users to a number of different malicious domains which look to serve malware:
http://artcan-developpement.fr (without the extra m: oppement instead of oppmement) is a regular French site selling design furniture of some sort. The bit after the slash of course redirects to various exe or php files on several other domains (e.g. detecproforyou.us/twit.php or robsearch.info/tre/sena.exe) then results in a 404 for that file. But at the source for that page and it’s empty. Tried this on a secondary Linux machine. Not sure what was supposed to happen.
Update 2: There are a number of tweets showing up in many users’ streams that are advertising the service Fllwrs, all links are cloaked using the Goo.gl domain shortener. The tweet read as follows:
Just found the easiest way to track who follows and unfollows you – http://goo.gl/kLE5M
We have spoken with the developers at Fllwrs and have been assured that the tweet was a by-product of code used for testing purposes and has now been resolved. The service is not malicious, it just sent out a lot of automated messages recommending people to use the service.
To do this, head into: Settings -> Connections -> Find the app and REVOKE ACCESS!