Your Online Timer survey scam spreads rapidly on Twitter

Filed Under: Social networks, Spam, Twitter

More rogue applications are catching Twitter users off their guard today, helping scammers earn money by spreading links that point to online surveys.

Following other attacks this weekend, which saw users spreading messages about a girl who killed herself and how addicted they were to Twitter, new messages are appearing on Twitter claiming to count how long users have been members of the tweeting service:

I have spent 379 days, 9096 hours on Twitter. How much have you? Find out here:

I have spent 379 days, 9096 hours on Twitter. How much have you? Find out here: [LINK]

The amount of time shown differs between users, so you may see different numbers.

The messages, posted by an application called "Your Online Timer", include a link which - if your Twitter followers click on it - will encourage them to authorise that "Your Online Timer" should also be able to access and update their Twitter accounts.

Twitter rogue app

As we've discussed before, you should always think very carefully before allowing unknown apps the ability to access your social networking accounts.

But if you do make the mistake of approving this particular application, you will be taken to a website which claims it will find out the time you have spent to date on Twitter.

Online survey

Regular readers of Naked Security will recognise the similarities with the so-called "11.6 hours" scam we saw spreading rapidly on Twitter earlier this month - and sure enough this scam shares a lot of similarities.

The page pops up a survey (when I tested the link it said there wasn't a survey available in my country, but your experience may differ), which earns the scammers money for each questionnaire completed.

Meanwhile, behind the scenes and without your explicit approval, your Twitter account has been updated with a status update - spreading the link virally to your Twitter followers:

Status update from rogue application

Affected users should revoke the application's access to their Twitter account immediately. You can do that by entering Settings/Connections and revoking the rights to the relevant application.

Revoke application permissions on Twitter

Sophos is in contact with bit.ly about closing down the offending link, but it's always possible that the scammers will use other links and other names for their rogue applications. So be on your guard and always think twice before allowing a third-party app to have access to your Twitter account.

If you're on Twitter and want to learn more about threats, be sure to follow Naked Security's team of writers. Meanwhile, Facebook users would be wise to join the Sophos Facebook page, where we give early warning about new threats.

Hat-tip: Credit to F-Secure's Sean Sullivan who identified that the same bit.ly user who was behind the "11.6 hours" scam appears to also be the originator of this latest attack.

, , , ,

You might like

3 Responses to Your Online Timer survey scam spreads rapidly on Twitter

  1. ran · 1131 days ago

    how about better covering of this story.
    for example can this site really count, at least approximately our twitter time or it shows some random number? is there some math behind this or no?
    if it doesn't give any value whatsoever, ok label it as a scam and something terrible, but if it has real purpose why you scream scam just because there is a survey? now I'm even afraid to visit this site because I (and I guess many others) think maybe there is a virus on it or something like that, but it could maybe be fun little site.
    if it's legit, somebody made that site, he's not obligated to give you fun for free. paying back to him in a form of survey shouldn't be considered a scam just because there are a lot of survey based scams.

    • It's a scam because it posts to your Twitter account without your permission, in order to drive traffic to its revenue-generating survey.

      Does it calculate the *real* number of hours that you have been on Twitter? I frankly have no idea, and consider the question irrelevant!

      Whether it does or not - it's still a survey scam. End of story from my point of view. :)

    • No. It is not accurate. There is no way an external application can tell how long you've been on Twitter, especially not instantly. Do you think it is worth it to allow some random person or organization access to your updates, just so you can get an estimated number anyway? No. But if so, enjoy spreading the link so some guy can make money at your (and other twitter users') expense.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.