Twitter scam betrays users' lack of savvy

A new scam has successfully duped Twitter users into handing over their cell phone details.

Security firm Sophos is warning that a new scam is spreading virally on Twitter, and that a significant number of people have already fallen for it.

The Online Timer scam claims to measure how long users have spent on the Twitter Website. It spreads via seemingly innocuous Twitter messages along the lines of "I have spent 30 days, 14 hours on Twitter. How much have you? Find out here," followed by a shortened link to a malicious Website.

Anybody who clicks the link is directed to a Website that requests to connect to the user's Twitter account in order to measure their usage. The first thing it actually does, however, is post the same message in the user's feed, this time with a different and seemingly random time measurement, but with the same link.

Oblivious to this happening, the user is rewarded with a pop-up window that claims to show how many views the user's account has had. Again, the number appears to be random. By way of the main payload, a pop-up window then appears offering an IQ test, which it's claimed the user must complete to defeat spam and "verify you are not a bot." Upon completion of the survey, users are requested to enter their cell phone number to receive further questions, although the small print says that users will be sent four text messages a week, at a cost of $2 each.

It's a clever scam that tiptoes effectively through the minefield of credulity. It's not hard to see why people would fall for it, although it's good to see that the savvy and urbane "Twitterites" perhaps aren't that much brighter than the grass-grazing Facebook multitude.

I've always had a quiet admiration for malware writers who manage to succeed. A good attack vector is a piece of pure wit, like a good joke; it manages to bypass our defenses and draw us in. Of course, if the malware is destructively malicious rather than just annoying, then my admiration is a little tempered.

The new Twitter malware follows a scam that works in a similar way, except offering a survey rather than a quiz. Another similar scam claimed to show who was stalking individuals. It's obvious that the same organization is behind each of the attacks.

In many ways, it's surprising it's taken so long for Twitter to be targeted like this. Because of the requirement to stick to 140 characters in each message, most people use URL shortening services. This leaves those clicking the link with absolutely no idea where they're going to end-up (and most of us have learned to have one eye on the status bar whenever we hover over any link).

Twitter is trying to combat this with its service, which claims to be safer. This checks URLs against a list of known malicious sites, and the full URL appears in Tweeted messages. However, is clumsy and confusing to use. To generate a link, you have to precede the original link in your browser bar with for example, and it currently doesn't provide metrics to end users (that is, a measure of how many people have clicked the link). Thus, many people stick with rival services and, the latter being offered by Google. It's possible to wrap or link in a link but then the process of making a quick tweet becomes annoyingly protracted.

Additionally, Twitter relies on users to verify the authenticity of sites that want to "connect" to a user's account. As is becoming clear, users simply aren't scrupulous enough. Many simply don't care. On both Facebook and Twitter, users are encouraged to allow connections from trivial sites and applications as part of day-to-day use.

In short, users are a little too loose with what they link up with, but that helps the wheels of Twitter and Facebook keep rolling.

One would think the notification that a site wants to post on an individual's Twitter feed to be so important that it would be highlighted in red, and might be accompanied by the sound of sirens in case the individual is suddenly struck blind. Alas, that's not the case. The exact phrasing is this: "The application would like the ability to access and update your data on Twitter." It's not even made explicitly clear that the app might post messages.

At the present time it appears the scam no longer works; either the malicious Website is offline, or clicking through to allow permission for connection causes Twitter to explain that the required token is no longer valid.

However, should you find yourself hit with this malware or something similar, the first step is to remove the connection. You can do this by visiting, clicking on your username at the top right, and then clicking the Settings link.

On the page that appears, click the Connections tab and find the app in the list. Then click the Revoke Access button.

You can prune your Twitter feed of the malware messages by going to your list of Tweets (click Home and then the Your Tweets link), and hovering the mouse over the message until a Delete option appears. Run a full virus scan just in case--and while that's completing, it might be a good idea to tweet that you've been infected, but that everything is now cleaned up.

Keir Thomas has been making known his opinion about computing since the last century. His latest Kindle ebooks have just gone on sale . You can learn more about him at . His Twitter feed is @keirthomas .

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesspamsecurityvirusestwitterdata protectionsocial mediaphishinginternetFacebooksophos

More about BillionFacebookGoogleSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Keir Thomas

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts