When we analyzed few Twitter followers in one of our websites, we noted that there was an user that was following us, see the image:
We have analyzed the website (infected):
www (dot) wordpress-how-to-videos (dot) com
The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 126.96.36.199 (330.hostserv.eu). The server machine is located in Switzerland (CH) and in the same server there are hosted other 0 websites. The domain is registered with the suffix COM and the keyword of the domain is wordpress-how-to-videos. The organization is hosttech GmbH.
The above website is used to redirect users to a malicious URL that tries to exploit the user’s browser with a Java exploit, as you can see from this image:
The malicious redirect is activated only if the user browse the malicious website with a referer that contains the string of search engines, such as Google. Using the free service HTML Sniffer we can simulate the Google referer and we can see that we are redirected to the exploit URL:
The exploit URL seems to be updated very frequently:
garliccommercial .ru /pavilion?8 midwaydance .ru /pavilion?8
Both malicious URLs are hosted in this IP address:
The Java exploit is loaded from another malicious URL:
ypcbpukqt. lflinkup .com /PJeHubmUDaovPDRCJxGMEzlYXdvvppcg
Pay attention when clicking on websites of your Twitter followers!