IE 11 is not supported. For an optimal experience visit our site on another browser.

Twitter worm leads users to fake and malicious site

A nasty worm on Twitter preys on users who click on a shortened link that takes them to a fake anti-virus site for "Security Shield" software. Once there, the aim is to get users to download what is billed as anti-virus protection, but is really malicious code.

If this seems like deja vu, it is: the same worm appeared early last month on Twitter, the short-messaging blog where posts are limited to 140 characters, and website URLs are often shortened to help reduce character count. The worm is using Google's URL shortener, "" to entrap users.

"If you make the mistake of clicking on one of the malicious links you are ultimately taken to a website which attempts to scare you into believing that you have a virus problem on your computer," writes Sophos' Graham Clueley on the security software company's blog.  "You are then frightened into installing malicious code on your PC, and asked to pay money to disinfect your systems."

Clueley wrote that it "isn't yet clear is how the Twitter users found their accounts compromised in this way. The natural suspicion would be that their usernames and passwords have been stolen.

"It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting links to change their passwords immediately," the same advice Twitter itself is offering.

"We're working to remove the malware links and reset passwords on compromised accounts," tweeted Del Harvey, of Twitter's Trust & Safety team.

Adam Wosotowsky, principal researcher at McAfee Labs, said in an e-mail statement, "The fake antivirus attack is not new, and is fairly simple to execute. The attack is most likely a Trojan that began by phishing." 

Shortened URL sites, he said, "are not 100 percent malicious, so blocking the domain completely can cause false positives, which is something researchers try and avoid. is an example of a site associated with Google, so blocking the domain may be frowned upon by Google, allowing the spammer to continually abuse the site."

In short: For now, avoid clicking on that shortened link if it shows up in your Twitter feed.

"In general, please use caution when clicking on links," Twitter advises on its Help Center page. "If you click on a link and find yourself unexpectedly on a page that resembles the Twitter login page, don't give up your username and password! Just type in into your browser bar and log in directly from the Twitter homepage."