As many as 13,000 Twitter users have been affected by a new “worm-like” phishing attack that feeds on some members’ desire to gain more followers. The said scam dupes users into forking over their account names and passwords using a Web site called “Twittercut.”

Twitter users may see the following tweet in their stream:

When they click on the link, they are redirected to a fraudulent Twitter Web site that asks them for their account name and password. Once the needed login details are entered, the site sends similar messages to all of the affected users’ followers, along with links to a paid dating service.

The messages are said to have started from an account called @twittercut, which had been disabled. But then the tweets continued to come, this time from a new account called @tweetcut. The latter is now also inoperative.

The site operators at TwitterCut denied phishing allegations and announced that they were shutting the site down.

“According to several social network blog sites, TwitterCut has been the bud of several rumors,” they said on a message on their site. “Our website and its programmers can assure you that these rumors are not true and that TwitterCut is simply a Twitter train that was a work in progress!”

Twitter acknowledged the problem with a post on its status page Tuesday night. “We are currently pushing a password reset on accounts we believe may have been caught in a phishing scam,” said the company. “Please exercise your best judgement when thinking about releasing your username and password to third parties.”

We might not be experts on how to express special feelings for someone, but we know sending them messages that lead to TV channel advertisements ain’t one of the ways to do them.

The message indicates that the recipient has a secret admirer and he/she has provided a profile for the recipient to view.

Below is a screen shot of the ecard website:

The link provided uses TinyURL which redirects the user to several random sites times before finally showing the actual website. The funny thing is, there is no profile, just an advertisement.

The website promotes a software that lets users watch 1,000+ live TV channels around the world for a one-time-payment. Once the user attempts to close the window of the site, a message box will appear and an agent will start “chatting” with the user about the company’s product, offering discounts just to take their offer.

The spam message is already blocked through the Smart Protection Network.

Spam mails are very annoying, so we turn to spam filters to avoid ending up with an inbox flooded with them. Unfortunately one “anti-spam filter” we’ve encountered isn’t driving junk out, but letting them in.

We have received an email message claiming that it is from Webmail Support. It is posing as a security announcement and states that the recipient’s mail server is sending out spam because it is infected by a virus that could contaminate their contacts and other users of the network.

To correct this, it recommends the recipient to download and install an Anti-Spam filter then scan their computer so that they would not block the recipient’s email account.

The message was in Portuguese and is roughly translated to English as:

Security Announcement

Dear user, I found that your mail server is automatically sending messages known as SPAM, contami your contacts and other users of the network with the Virus 32/Fbd, it sends false messages to e-mail servers.

We recommend the installation of the system Antispam, that it be corrected. Otherwise, the provider of WebMail will be given the right to block all of your e-mail account. Grateful for the attention!

Download Program Antispam filtering below and do a scan on your computer.
http://{BLOCKED}/suporte/suporte-email/spam

Regards,
Protection of the Webmail service.

* Message for automatic spam filtering. You need not answer it

However, clicking the link given will trigger download a malicious file instead.

The downloaded file is detected as TROJ_DLOADER.MCS. TROJ_DLOADER.MCS drops TSPY_KEYSPY.S which logs keystrokes on the affected system, then sends all gathered information to a remote user. Successful execution of the mentioned routines could lead to the compromise of the affected system, and loss of critical information.

The Trend Micro Smart Protection Network provides complete protection from this attack, as all three components of this attack: spam, malicious URL, and malicious files, are already blocked and detected respectively.