Twitter’s Sponsored Tweets Used For Credit Card Phishing

Twitter : Shutterstock - © Julien Tromeur

Malwarebytes finds a scam masquerading under the offer of Twitter verification

Twitter’s promoted tweet service has been used by cyber criminals to dupe its users into handing over login credentials and payment information as part of a credit card phishing scam.

Cyber security company Malwarebytes discovered that the phishing scam was hiding behind a promoted tweet from an account called Verified Accounts claiming to offer the ‘blue tick’ verification that Twitter gives to some of its users who can apply or be granted the ‘verified’ status by the social network.

The tweet directed users to a website that requested login details, various personal information and then payment and contact credentials.

Twitter phishing

Twitter money IPO commercial tweet dollars © ullrich shutterstockMalwarebytes noted that while there have previously been sponsored tweets that use attention grabbing or sometimes misleading posts to encourage users to click on the link in their tweet, this is the first time it has observed the sponsored tweet service being used as a vector for phishing scams.

At the time of writing the account, @Verifed845, appears to still be up and running, which indicated that Twitter may not have a very robust method on vetting the sponsored tweets.

TechWeekEurope has contacted Twitter for comment on the issue.

Christopher Boyd, malware intelligence analyst at Malwarebytes, highlighted that some users may get tricked by the Twitter phishing scam as they do not expect sponsored tweets to come from cyber criminals. He also noted even people a little savvier to such scams could still get caught out.

“One of the things people tend to look out for when avoiding phishing scams is checking if the site is secure, on the basis that most phish pages are typically non SSL. It’s always worth stressing that this aspect taken on its own, with no other potential phishy red flags considered, is NOT a magic bullet as there are some phish scams out there which are indeed touting a padlock,” he said, explain how the scam site is secure until the point that it asks for payment.

“Whether links you see on Twitter are served up by friends, strangers, or even sponsored content placed there via Twitter itself, never take them for granted – the moment you see a site asking for login credentials and / or payment information, think very carefully about your next move,” Boyd added.  “Trust, but verify” has never seemed quite so relevant…”

Despite phishing scams being nothing new and people are becoming wise to such scams, however, that still has not stopped phishing being reportedly responsible for the majority of data breaches or for the amount of people that can be hit by major scams.

How much do you know about IT’s bad guys? Take our quiz!