Avoid: "I just hacked my friend's account" Twitter spam

Promoted Tweet leads to credit card phishing

There’s been a bit of an issue with promoted Tweets on Twitter in the last few days – well, one specific promoted Tweet at any rate – in the form of a rogue phish asking for login credentials and payment information.

What is a Promoted Tweet?

From the FAQ:

All well and good. However:

Get Verified

The promoted Tweet on display shows what appears to be a “Verified Accounts” feed, alongside the message

The link did indeed lead to a phish, and we decided to take a look around. First, the stats:

Phish link stats

Over 3 days, the Tweet was clicked by 812 people, with 97.4% of those hitting the link via Twitter’s t.co redirect (in other words, directly from the sponsored Tweet). 644 visitors arrived via iPhone, with 534 hits coming from the US.

The phish itself (still live at time of writing) is located at

mobile-authentication(dot)000webhostapp(dot)com/welcome(dot)html

It focuses on the well worn phish approach that is “Come and get yourself a nice blue tick on your profile”:

The second step of the phish asks for username, email address, company name, phone number and password, alongside some other bits and pieces such as whether or not the victim uses Twitter Ads and how many followers they have:

Phishy antics

The final step in the phish asks for card number, expiry date, security code, name, billing address, and contact email:

Phishing for cards

One of the things people tend to look out for when avoiding phishing scams is checking if the site is secure, on the basis that most phish pages are typically non SSL. It’s always worth stressing that this aspect taken on its own, with no other potential phishy red flags considered, is NOT a magic bullet as there are some phish scams out there which are indeed touting a padlock.

Sure enough, the phishing page actually is secure…

padlock

…for the first two pages, at least.

no padlock

At the point where the site is asking for payment information, our browser flags the page as containing content which is not secure, which may help to steer at least a few victims away from disaster. Things aren’t going to plan for Twitter right now, and the last thing the service needs is a bunch of phishing links served up via sponsored Tweets.

Whether links you see on Twitter are served up by friends, strangers, or even sponsored content placed there via Twitter itself, never take them for granted – the moment you see a site asking for login credentials and / or payment information, think very carefully about your next move. “Trust, but verify” has never seemed quite so relevant…

Christopher Boyd (hat tip to Izzy Galvez)

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.