The malicious webserver is probably redirecting the Twitter crawler based on its user-agent to CNN, and Twitter's redirect-busting is helpfully pulling in the "final" destination.