Hackers are using auto-generated Twitter accounts that post links to current topics in a bid to spread scareware, say security researchers.

Experts at both F-Secure and Sophos said the latest Twitter attacks originated with malicious accounts registered by software.

The accounts, which use variable account and user names, supposedly represent US Twitter users. In some cases, the background wallpaper is customised for each account, yet another tactic to make the unwary think that a real person is responsible for the content.

Tweets from those accounts are also automatically generated, said Sean Sullivan, a security advisor with F-Secure. Some of the tweets exploit Twitter's current 'Trending Topics', the constantly-changing top 10 list of popular tweet keywords that the micro-blogging service posts on its home page. Others are repeats of real tweets.

All the tweets include links to sites that try to dupe users into downloading and installing bogus security software, often called ‘scareware' because they fool users with sham infection warnings, then provide endless pop-ups until people pay £20 to £30 to buy the useless program.

"As fast as Twitter can shut down the accounts, [the scammers] create new accounts," said Sullivan.

"Somehow they're getting around the CAPTCHA [Completely Automated Public Turing Test to Tell Computers and Humans Apart], but how they're doing it, whether with a bot or by CAPTCHA farms, we don't know."

CAPTCHA is the technology that uses distorted, scrambled characters to block automated registration of accounts. The defense, however, has regularly been subverted by hacker-built software, or by humans who contract to decipher the characters manually.

"There's nothing cookie-cutter about these accounts," said Sullivan, who added that scareware scammers aren't afraid to spend money to make money.

There's a lot of the latter to be had. Last year, botnet researcher Joe Stewart of SecureWorks said there was evidence some hackers were making as much as $5m a year from scareware.

"A lot of these scareware campaigns don't last 24 hours," said Beth Jones, a threat researcher at Sophos. "By the time a [distribution] site is blocked, they've already moved on to something else."

The servers hosting the phony security software behind the Twitter attacks are located in Toronto, said Jones, who said Sophos had been monitoring those systems since June.

Because the scareware tweets use a URL shortening service - as do most tweets to crowd as much as possible into Twitter's 140-character limit - it's impossible for users to tell exactly where the link will take them.

Jones suggested that users access Twitter with a third-party application, such as TweetDeck, which offers a URL previewer to show the actual destination. Unfortunately, the scammers are using the Metamark shortening service; TweetDeck doesn't support previews for Metamark.

"Scammers are using Twitter because it's a new conduit for spreading their scareware," said Jones. "They go where the money is, which means where people are, and people are on Twitter."

Twitter has since deleted the machine-generated accounts spreading scareware but some tweets with the same malicious URL were still available on the service.

Broadband speed test

PC security advice

See also: Voice feature for Twitter goes into beta