There's been a bit of an issue with promoted Tweets on Twitter in the last few days - well, one specific promoted Tweet at any rate - in the form of a rogue phish asking for login credentials and payment information.
What is a Promoted Tweet?
Promoted Tweets are ordinary Tweets purchased by advertisers who want to reach a wider group of users or to spark engagement from their existing followers. Promoted Tweets are clearly labeled as Promoted when an advertiser is paying for their placement on Twitter. In every other respect, Promoted Tweets act just like regular Tweets and can be retweeted, replied to, liked, and more.All well and good. However:
Does Twitter really have no vetting for promoted tweets? This is a straight up phishing attempt. @Support #InfoSec pic.twitter.com/EaVhnXwb3K
— Izzy Galvez (@iglvzx) October 28, 2016

The promoted Tweet on display shows what appears to be a "Verified Accounts" feed, alongside the message
Get Verified. Go to goo(dot)gl/zuGHjgThe link did indeed lead to a phish, and we decided to take a look around. First, the stats:
Over 3 days, the Tweet was clicked by 812 people, with 97.4% of those hitting the link via Twitter's t.co redirect (in other words, directly from the sponsored Tweet). 644 visitors arrived via iPhone, with 534 hits coming from the US.
The phish itself (still live at time of writing) is located at
mobile-authentication(dot)000webhostapp(dot)com/welcome(dot)html
It focuses on the well worn phish approach that is "Come and get yourself a nice blue tick on your profile":
Welcome to Twitter VerificationThe second step of the phish asks for username, email address, company name, phone number and password, alongside some other bits and pieces such as whether or not the victim uses Twitter Ads and how many followers they have:Hundreds of millions of people use Twitter to discover what's happening in the world. Twitter can help you connect with them and achieve meaningful results.
Being verified is more than a cool badge on your profile, it signifies authenticity and ensures the community that you are an official acount. [SIC]
The final step in the phish asks for card number, expiry date, security code, name, billing address, and contact email:
To prevent identity confusion, Twitter is now offering the "verification form". We're working to establish authenticity with people who deal with impersonation or identity confusion on a regular basis. Accounts with a [Tick] are the official accounts.One of the things people tend to look out for when avoiding phishing scams is checking if the site is secure, on the basis that most phish pages are typically non SSL. It's always worth stressing that this aspect taken on its own, with no other potential phishy red flags considered, is NOT a magic bullet as there are some phish scams out there which are indeed touting a padlock.
Sure enough, the phishing page actually is secure...
...for the first two pages, at least.
At the point where the site is asking for payment information, our browser flags the page as containing content which is not secure, which may help to steer at least a few victims away from disaster. Things aren't going to plan for Twitter right now, and the last thing the service needs is a bunch of phishing links served up via sponsored Tweets.
Whether links you see on Twitter are served up by friends, strangers, or even sponsored content placed there via Twitter itself, never take them for granted - the moment you see a site asking for login credentials and / or payment information, think very carefully about your next move. "Trust, but verify" has never seemed quite so relevant...
Christopher Boyd (hat tip to Izzy Galvez)
COMMENTS