Anatomy of a Twitter Attack

I was happily snacking away on my lunch break here in Vancouver when suddenly my TweetDeck Twitter client sounded the alert for incoming direct messages. If you are not a Twitter user, direct messages are private messages between Twitter accounts. You can only send a direct message to someone who is following you on Twitter, no strangers allowed.

Picture of Twitter DM spam

I knew the sender, so it was clear this was a new scam in progress…

What was the purpose in luring me to click on this URL? Penis pills? Phishing Attack? Malware? I performed a quick WHOIS lookup to see what I could find out. Of course the purchaser had enabled privacy to shield their identity.

Domain Name:JFK(redacted).INFO
Created On:02-Nov-2009 08:24:44 UTC
Last Updated On:02-Nov-2009 08:47:22 UTC
Expiration Date:02-Nov-2010 08:24:44 UTC

Screenshot of unavailable message
The domain was registered yesterday morning. I visited the URL from a test computer to see what would happen. Hrmph. They either don’t like security researchers, or, as usual, they simply don’t want Canadians getting rich off their scam.

The site did redirect me to another domain though, which I then looked up.

Record created on: 2008-08-19 16:41:23.0
Database last updated on: 2009-08-31 10:09:56.743
Domain Expires on: 2011-08-19 16:41:23.0

This one was over a year old. This is a common tactic in social media spam: Create new domains with a clean reputation and redirect these to known dirty domains further down the chain. But I still didn’t know what they were shilling, so I performed some magic, overcame my Canadian researcher problem, and finally arrived.

Screenshot of registration page
I dutifully registered after reading the terms and conditions and privacy policy, a must for these types of sites. After a bit of legalese, I determined that my idea of privacy was not quite compatible with theirs.

The terms and conditions state: “By submitting this form, I am ordering GoogleFortune for a 7-day bonus period for $1.97 billed to my credit Card; If you enjoy GoogleFortune, simply do nothing. On the 7th day my credit card will automatically be charged $69.97 and every month, thereafter. . .” Further along it adds some more goodies: “I also agree to the 14 day and 21 day bonus trials to Rebate Millionaire and Network Agenda (redacted) for $19.95 a month and $9.95 a month thereafter”. You can also see this text in small print at the top of the billing page.
Screenshot of payment page

At least I know my credit card will be safe in transit, as the site is certified secure. Now I can sit back and watch as $99.87 a month starts my new career working from home. The site even points out that using Google is FREE.

Many Twitter users fell victim to this scam today, likely the result of a phishing attack against users of the service. Using sites that request your username and password for social media is never a good idea. Make sure anything requesting your Twitter credentials uses Twitter OAuth. This means your username and password are requested by Twitter and passed through to the third party application.

If you are having a hard time creating complex passwords, watch Graham Cluley make a great password from Bedrock.