Another worm is making the rounds on Twitter via the goo.gl URL shortening service, often directing users to fake anti-virus software.
Affected users might notice mysterious tweets that they did not write showing up on their feeds, many of which include goo.gl links that end with “m28sx.html.”
“Although most affected Twitter users appear to be oblivious to what has occured, a few have noticed the messages, and suspected a security breach,” Sophos’s Graham Cluley wrote in a blog post.
If you click on these links, you are taken to a Web site that suggests your computer has been infected by a virus. The site encourages you to download what it says is anti-virus protection but is actually malicious code.
Del Harvey, head of Twitter’s trust and safety efforts, tweeted yesterday that the company was “working to remove the malware links and reset passwords on compromised accounts.”
When asked how this attack happened, Harvey said it “looks to be folks who got phished in the last round but whose accounts weren’t used to attack others.”
A similar goo.gl worm popped up on Twitter in early December.
Cluley said it “isn’t yet clear is how the Twitter users found their accounts compromised in this way. The natural suspicion would be that their usernames and passwords have been stolen.”
“It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately,” Cluley suggested.
Brulez posted more technical details on his blog.
On Thursday, Trapster warned users that its username and password database has been compromised, affecting over 10 million users. Customers who used the same password for Trapster and other sites should change them immediately, the site said.
Harvey tweeted the Trapster warning on her feed, but said she was just doing so to make sure “that others know they should change their passwords if they belonged.”