"Who visits your Twitter profile" spam app brings week of chaos

“Who visits your Twitter profile” spam app brings week of chaos

Twitter spam has been around forever, and rogue apps asking for installs in return for a cool feature (to be more accurate, spamming your contacts) is a constant thorn in our Twittery sides. Over the weekend, we observed a new Twitter app doing the rounds and causing a lot of congestion on people’s timelines.

What is it?

We first noticed this when a number of my contacts using the #FBPE (follow back, pro Europe) hashtag to form networks and make new friends started spamming Tweets similar to the below:

hijacked contact

 Click to enlarge

The spam reads as follows:

Goooo!! Click for more information:

Who visits your Twitter profile

100% safe, 100% working

Click here, available for iOS and Android

Here’s another one:

another hijacked contact

Click to enlarge

Sign in and download this fantastic app – only available today

Regardless of the spam message used, all the tweets directed people to visit a website located at

checkvisitss(dot)tk

How does it spread?

People click the link and are presented with the below website:

Click to enlarge

There’s not a lot to do besides hitting the large “Connect with Twitter” button, and sure enough, doing just that will direct eager clickers to the app install page.

Click to enlarge

It says:

Authorize Recent Visits 24H to use your account?

This application will be able to:

Read tweets from your timeline

See who you follow and follow new people

Update your profile

Find Tweets for you

Will not be able to:

Access your Direct Messages

See your email address

See your Twitter password In other words, a fairly standard Twitter app permission list.

Tracking the spread

This could have been a bit of a disaster for those on the FBPE hashtag mentioned, which itself is being used to grow follower count and connect with like-minded individuals. Any app claiming to provide information about “profile views” in this situation could have resulted in an accelerated spread, though we doubt they were specifically targeted—it was spreading just fine elsewhere, as we’ll see.

Either way, those on the hashtag quickly figured out it was a scam and took steps to purge it:

app removed

One of the other primary drivers of these spam messages was the below message:

Touch the screen and enter the web – You can know who has visited your profile

This was still actually doing the rounds as of yesterday, with a little over 900 results in a simple browser search before it refused to load any more entries:

lots of spam

Click to enlarge

spam search

What damage can it do?

As with all things, that depends on the ultimate aim of the scammer. Some just want to spam their website; others will pop an advert or 12, and the worst of the bunch may try to have you download and run some malware. At the time of testing, all this seemed to do was promote the app across timelines and encourage more installs, so the main aggravation here is the knowledge that you installed something useless, and then started beaming said uselessness to all of your contacts. Not a great look, however you stack it.

How do I remove it?

Thankfully, this is an easy one to pull off. Head over to your Applications tab in Twitter via Settings and Privacy, and give your apps list a Spring clean:

app control

Click to enlarge

Some of the apps you may find there could be outdated or no longer updated; if that’s the case, remove them. You don’t want to end up in a situation such as this. Once you’re happy with the end result, simply save and go back to your homepage safe in the knowledge that you won’t be posting any more bad tweets (at least, not automated ones).

Elsewhere…

A similar number of campaigns were tracked and mapped out by Erin Gallagher, one of which was making use of the URL ultimasvisitass(dot)tk, with some amazing graphs mapped out across three days using Gephi, the open source visualization program. At the time of writing, some of the URLs in play don’t load and checkvisitss redirects to lasttvisitss(dot)tk which is fully functional and offering up an app install. All of the sites involved seem to be registered through a number of anonymous registration services so there’s no real way to figure out who’s behind this batch of app installs.

No matter how you come across these sites, we’d advise you not to bother giving these apps permission. The “See who visited you” routine has been around for years on Twitter and Tumblr, and going even further back to Myspace. In all cases, none of these things ever seem to work and only serve to annoy, spam ads, or offer surveys.

While it’s useful to find out who’s been on your page, it’s really not worth the effort involved in installing a spam app and alienating all of your visitors from wanting to interact with you.

Profile viewer apps offer much, but deliver little. Move your hand away from the Install button and go about your day. Your social media profile’s reputation will thank you for it.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.