A .NET malware abusing legitimate ffmpeg

“See who visits your Twitter Profile” Spam: Blink and you’ll miss it

Maybe this spambot was watching Blade Runner and took note of that whole “burning twice as bright” thing, because the Bot’s brief lifespan was punctuated by a handful of high volume retweets claiming to reveal who had viewed your Twitter profile.

Here’s one we saw – note the retweet tally.

Check who visits your Twitter profile - here

I’m not even going to attempt to replicate the Emoji frenzy.

The goo.gl URL, created today, takes curious Twits to a page which has already received 17,857+ clicks at time of writing.

Additional stats: 7,916 visits from Macs, 6,381 from iPhone, 1,555 from Android and only 961 from Windows. The bulk of the visits came from the US, with 13,406 people eager to see who is checking out their Twitter page.

The shortened URL leads visitors to

papelgames(dot)tk/redirect(dot)php

which wants them to authorize a Twitter app:

Authorize App

The App can read tweets, see who you follow and follow new people, update your profile and post tweets.

It cannot access direct messages or see your twitter password. In other words, the usual Twitter app permissions.

Right after authorizing the app – called Tips_Twit_Settings – you’re sent to a final webpage located at

livedirsetsoftware(dot)com

Executable download

which offers up an executable called “See Who Is” from yet another domain.

The file, which is still being looked at, appears to be a bundle of ad supported software.

As for the spam account itself, it exhibited some peculiar behaviour while trying to evade the Twitter banhammer – specifically, sending out Tweets advertising the app and deleting them shortly afterwards. Here’s two which left the building almost as quickly as they arrived:

You’ll notice both messages have a huge amount of retweets considering it’s a throwaway account (2,000+ for each tweet), both of which happened in a very short space of time. Either the account had a huge network of accounts standing by to retweet these posts, or people just really like the idea of seeing who visits their Twitter profile.

Either way, these Tweets didn’t stay live for long and they were deleted shortly afterwards. In fact, we suspect the Bot started to feel a little desperate towards the end:

Uh oh...

…yeah, nobody is buying it. And so we wave farewell to a short-lived yet dynamic spambot as the account marches toward oblivion (and an account suspension):

Suspended

Goodnight, sweet prince.

If you’re unsure about an App you’ve granted permission, follow these steps to revoke access.

It’s good practice to avoid anything on social media which claims to reveal “who visited what”, because more often than not you’re only a few clicks away from installs or surveys. Indeed, it’s consistently been one of the most popular forms of bait on everything from Facebook to Tumblr – not forgetting Myspace – down the years. One would be forgiven for steering clear of Tweets claiming to do the same thing – especially when being pushed in such “Now you see it, now you don’t” fashion by flatlining Spambots.

Take our advice – worrying over who visits your profiles isn’t worth the time and trouble of dealing with install daisychains you never asked for.

Christopher Boyd (Thanks to Andrew for additional information)

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.