How Twitter spam steals from Google, Yahoo!

Filed Under: Social networks, Spam, Twitter

Scammers have been devising ways to ride on someone else's coattails since the dawn of time. With every new technology they find another way to make money from nothing. Today I am going to highlight a method that involves Twitter, Yahoo!, and Google AdSense.

I was innocently monitoring my Twitter feed last night when I saw someone tweet "Sophos acquires anti-spam specialist ActiveState.: An article from: Software Industry Report hxxp://censored". Interesting... I used to work at ActiveState and know we were acquired in 2003. Something was fishy.
Screenshot of tweet

Twitter profile pic

Of course I have nothing better to do on Friday nights, so I decided to look into this a little deeper. First I looked into the profile of the person sending these tweets, and it immediately became obvious it was a Twitter bot of some sort. Picture of a sexy girl, profile name that sounded like a company, and real name of Jack Nellsan. 10,525 tweets as of today, all beginning February 4th. That's 376 tweets per day... an awful lot. Even more concerning is that nearly 1,300 people are following it.
Twitter profile information

Fortunately the site that all of its links point to does not contain malware. The links lead to a blog operating on WordPress using a plugin called Post to Twitter. That explains the very large number of tweets, as any post to the WordPress blog will auto-generate a tweet that looks legitimate. The next questions were where was it getting the content, and why? It seemed unlikely someone was posting 376 articles every day in large bursts at 40-minute intervals.

From my research and analysis of the site contents, it became clear the site was automatically scraping posts and comments from Yahoo! Answers and merging them into WordPress. It appears that the content may be coming from a few other sites as well, but nearly all of it is from Yahoo!.

Screenshot of scam blog

Why go to such elaborate measures? The site was created to generate traffic for Google AdSense. With more than 1,000 followers on Twitter and a little bit of SEO, you can generate a lot of traffic and a bit of cash. You could argue I am jealous of the followers (I only have 596), but the real reason I am writing this is to try and provide insight into the ease with which thieves can game the system.

There is no reason the operator of this site couldn't include other affiliate schemes, malware, or redirects to other pay-per-click services. Because of the legitimate appearance of the blog, users seeking answers they would find on Yahoo! Answers may visit these manipulated sites and contribute to the problem.

It's very important to scan all web content coming into your environment, and be skeptical of any links you find on social media sites. Help educate your users on the risks by downloading our free social media kit, the Sophos Threat Beaters toolkit. Oh, and if you use Twitter please follow me (@chetwisniewski). I hate the idea that evil robots are more popular than I am.

Update: Another person just appeared to me who is also trying to make some skin off of others content on Twitter by posting shortened links to his own site (for SEO) and displaying Google Ads as an interstitial page before directing you to the real site. In this case, it is not criminal (no stolen content) just annoying and borderline unethical. Watch carefully for people who only tweet shortened links to their own site and are not known to you.

, , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.