Latest Celeb Media Hack Leads to Potential Scam, PUP

Latest Celeb Media Hack Leads to Potential Scam, PUP

As you may have already seen in the news, Jennifer Lawrence, Rihanna, and Kate Upton were just a few of the latest A-list celebrities that got hacked and their private images and videos leaked to the public.

Users took to Twitter in reaction to this, the #IfMyPhoneGotHacked hashtag was created, and then became a worldwide trend. We’ve waddled through the seemingly endless stream of tweets and found these type of posts that may be deemed risky:

(1) The “Increase your followers!” post. These tweets use text images to spell out “Followers” and other text related to spammy posts in the past that advertise the selling of Twitter accounts to increase one’s follower count.

“Hear ye, hear ye! Click this link to get more followers!”

The shortened URL may look the same, but each time one visits it, he/she is directed to a different URL but with pages that look similar to one another (BTW, the post marketing Instagram free followers led for a YouTube page that has long been taken down). Below are sample screenshots:

Clicking the big, red “Buy Now!” button redirects users to the page below, where it asks for an email address and a link to have the transaction paid via Paypal.

I see a typo and several to-good-to-be-true claims. Red flags, anyone?

Clicking other buttons at the left sidebar of the default page leads to another page asking for a Twitter user name and email address.

Although we can’t see a way the group or individual behind these campaigns can swipe Paypal details , the combination of Twitter username and email address can be used by anyone to reset the password of an account if said account doesn’t have two-factor authentication enabled. On top of this, there is also no guarantee that the Twitter followers bought are not bots. We generally don’t condone the practice of buying accounts as it’s highly risky.

(2) The fake “link to headline” post. Here’s an example:

Bots galore!

They appear like broken headlines with a link to its continuation, which we normally see from legitimate Twitter users every now and then. Once users click any of the links, however, they see this:

A suspicious FLV Player download

It seems numerous files are being offered up in rotation, and we detect the ones we’ve seen so far as a variant of PUP.Optional.Somoto

. Somoto potentially unwanted programs (PUPs) are known to bundle third-party toolbars and hijack browsers.

One of our researchers visited one of the download links and he was directed to a page pretending to be from a legitimate adult website, which looks like this:

Adddveer site pretending to be Porn Hamster

Once users click the “OK” button, they are then prompted to download and install a fake Flash Player for the Firefox browser as an add-on.

The fake Flash Player Firefox browser add-on

We’ve reported the adddveer site and other nasty domains we found during the course of our investigation to their ISP, and they have been taken offline.

Bad guys know movie fans love a splash of celebrity controversy, and it’s a hot button opportunity they’ll likely keep pressing. We’ve seen it happen again today. Dear Reader, when follow a hot feed on  Twitter, please take extra care when clicking links.

Jovi Umawing (Thanks to Steven Burn for additional analysis)


Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.