Researchers at Proofpoint have discovered that malvertising has now gone social, moving onto Twitter. The firm has documented an attack that starts by posting a fake video onto a feed in a Twittercard.
If the client IP address is known, clicking on that opens a fake video on YouTube. If it is unknown, a scam adult social network is opened instead. The user is then prompted to install a Chrome Extension to called Mapi Geni. A webinject is downloaded, and when a user logs in it sends credentials to a remote server.
The attack is taking advantage of the fact that users perceive Twittercards to be verified, and therefore their contents are deemed legitimate and safe. The same goes for apps downloaded from the Chrome Webstore. It is hard to spot as users are able to login unimpeded, unlike with credential phishing attacks.
Proofpoint says that "While the immediate goal is to steal the Facebook credentials of the targeted user, the fact that the webinject is downloaded from a remote server means that it could be changed at any time to perform other actions."