The payload uses a XSS vulnerability to steal Twitter cookies and transfer them to two servers (one of which is hosted in Brazil). The cookies are then used to hijack users’ sessions and post a message in Portuguese claiming that a member of a popular Brazilian pop band has been in a tragic accident:
Combining these clues with the knowledge that the two domains are registered under Brazilian names, it seems fair to assume that the attack originated in that country.
According to bit.ly’s statistics, one of the malicious shortened links in these messages has been clicked on more than 100.000 times, which means that there could be at least that many compromised accounts out there.
Fortunately, Twitter has already fixed the vulnerability.