A rogue application has caught Twitter users off their guard today, with thousands of people duped into clicking on links believing that it will reveal how many hours they have spent on Twitter.
I have spent 11.6 hours on Twitter. How much have you? Find out here: [LINK]
However, if you click on the bit.ly link being used in the message you are taken to a page which attempts to connect a rogue application called “Time on Tweeter” with your Twitter account.
The application instantly tweets a message to your Twitter feed, claiming that you have also spent 11.6 hours on Twitter..
..thus spreading the link virally, and then directs you to a page which presents a revenue-generating survey on behalf of the scammers.
Affected users should revoke the application’s access to their Twitter account immediately.
Scams like this are very commonly encountered on Facebook, but are more rarely seen on Twitter.
Sophos is in contact with bit.ly about closing down the offending link, but it’s always possible that the scammers will use other links and other names for their rogue applications. So be on your guard and always think twice before allowing a third-party app to have access to your Twitter account.
I’ll be publishing more information about this fast-spreading scam shortly – but in the meantime, feel free to follow me at @gcluley on Twitter.
Update: As predicted, we are seeing other incarnations of this scam using different links and names for their rogue application as well as different “times”. For instance, a number of people have been compromised by an app called “Time on Tweet” which claims they have been on Twitter for 10.6 hours rather than 11.6 hours.
I have spent 10.6 hours on Twitter. How much have you? Find out here: [LINK]
And here’s another version which was spreading earlier today, using somewhat different wording:
I have spent 12 hours and 25 minutes Twitter in 2011. How much have you? Find out @ [LINK]
Update 2: It looks like the initial attack has stopped spreading – great news! Thanks to everybody who retweeted this story and spread the word.
However, there is some evidence that the scammers may be attempting to spread new versions of the attack (this time using the goo.gl url shortener and an app calling itself “How many hours?”) to Twitter users. Hopefully many users will now be on the lookout for such tricks, however.
Please remember to exercise extreme caution over which applications you allow to connect with your Twitter account.
Hat tip: Thanks to Naked Security reader Guido for first alerting us to this outbreak.