Twitter spam campaign leads to computer-hijacking rogue AV

Malicious shortened goo.gl links and compromised accounts are once again used to lure users to pages that will ultimately harm their computer.

A message saying “a very good antivirus” and offering the malicious link has been spotted on many apparently compromised accounts and some that have been opened for the explicit purpose of spamming.

PandaLabs researchers warn that a click on the link takes potential victims to a fake “security alert” page customized to correspond to the legitimate one, depending on the users’ browser. Here is how it looks like for Firefox users:

If you fall for the ruse and click on the “Start Protection” button, you will be asked to install a file named Setup.exe, which is actually the well-known ThinkPoint rogue AV solution.

After it has restarted the computer, ThinkPoint loads a fake “Scan results” screen that will try to convince you that you computer is infected and that buying a “full version with required modules” will solve these problems.

The main problem with ThinkPoint is that it prevents the victim from accessing his desktop – effectively locking him out of the computer until he pays up. But, there is a simple trick that will allow you to bypass this restriction. Simply go to the settings menu of the rogue AV software, and choose the “Allow unprotected startup” option. After that, you should simply install an anti-malware solution and remove the malicious program.