Twitter accounts have been hijacked to send out links directing to a fake anti-virus website without the account user's permission.

Sophos reported that a search on Twitter reveals many tweets without a message but with a Google shortened link which leads to a URL ending with m28sx.ntml.

The link actually leads to a website that scares users into downloading their malicious code masquerading as anti-virus software.

Kaspersky Lab expert Nicolas Brulez confirmed the same stating that the new Twitter worm is spreading fast, using the goo.gl URL shortening service to distribute malicious links. The fake links go through multiple redirections to finally land the user to a proxy anti-virus site.

Sophos also points out that Twitter account users' password and username would have been compromised for the malicious link to be tweeted from the accounts.

In its Security Threat report 2011, Sophos said that fake anti-virus, also known as scareware or rogueware, was one of the most persistent threats in 2010. Under this form, the malware is planted on a victim's system, camouflaged as a genuine security solution. Once installed the user is served warnings that the system is infected and the victim is asked to cough up money to pay for the full version of the software. However, in many cases they siphon off the credit card details from the system once paid.

In 2010 Twitter was targeted with a cross-site scripting vulnerability that allowed links to be posted with embedded JavaScript code known as onMouseOver. It displayed pop-ups and third-party sites when a user merely hovered over a link without even clicking on it. Hackers used this for pranks and in some cases with malicious intent.