Sophos Cloud Optix
On June 6, the same day that the infamous LinkedIn password breach was widely reported, there seems to have quietly begun an epidemic of Twitter account hacking.
That afternoon, I got a direct message (DM) from someone I follow saying “You don’t need any prior experience!” followed by a link. I have followed this Twitter user for three years and had never received spam from him before.
I replied and soon found out that the person still had control of his account. He changed his password on Twitter (and LinkedIn, on my recommendation) and I suggested he revoke authorization for any apps that he may have recently connected with his Twitter account.
That seemed to have resolved the problem. For him, anyway.
Over the next couple weeks, I received three more direct messages from followers whose accounts had been hacked, each containing a link to a similar site:
"Hey, Why work for somebody else?"
"best decision I ever made was checking this out. just click on this link"
"Hey pal, a woman tells CNBC about making money from home!"
Interestingly, one of these users hasn’t even used her Twitter account in almost two years.
In addition to sending DMs, the hacked accounts also publicly posted a similar tweet. Searches of public tweets indicate that thousands of accounts appear to have been hacked as part of this campaign.
First let’s take a look at where the spam links lead. Then we’ll examine how these Twitter accounts may have been hacked.
The spam links
The links in these spam messages lead to what appear to be news articles from CNBC about a mom who works at home and earns $6,795 a month. But wait a second… are these actual CNBC articles?
If you look closely you’ll observe that the domain is not, in fact, cnbc.com. In this case it’s actually com-article****.info, and a “cnbc” subdomain has been tacked onto the front. Thus, “cnbc.com-” deceptively appears at the beginning of the address.
Those familiar with URL formatting are aware that a slash, not a hyphen, comes after the domain portion of a website’s address.
But that’s not all this site does to try to fool the viewer.
The fake news site is coded to dynamically change the city in the headline and the body of the article to match the viewer’s location. It figures this out based on the user’s IP address, which is visible to every Web site you visit. Seeing one’s own hometown in the headline adds to the fake news article’s illusion of credibility.
If someone is deceived by the fake news article and clicks on a link, he or she will be taken to a site that encourages the victim to sign up for a multi-level marketing (MLM) scheme.
There are several pages of negative reviews of this MLM site on Web of Trust and elsewhere. Even if there weren’t, the site’s apparent (though perhaps indirect) affiliation with Twitter account hackers should be a huge red flag.
It’s also interesting to note that the MLM site is “VeriSign Secured” (it has a Symantec SSL certificate) which obviously doesn’t validate the credibility of the site. The website also claims to be “McAfee Secure” but the embedded McAfee widget actually tests a different domain.
The existence of “secured” logos on a webpage is never a good reason to let down your guard and trust a site. For one thing, the kinds of tests conducted by site security validation services are very limited. Furthermore, scammers can easily put fake “secured” badges on their sites.
How are so many Twitter accounts getting hacked?
Unfortunately, it’s not entirely clear how all these Twitter accounts have been hacked.
Given the timing of when I first became aware of this hack-and-spam campaign, I immediately wondered whether it could be related to the LinkedIn password breach. For example, if an attacker gained access to a LinkedIn account that was connected with a Twitter account, and if the LinkedIn user had the same or a similar password on Twitter, the attacker could gain access to the Twitter account as well.
In fact, it’s even possible to post an update on LinkedIn and cross-post it as a tweet on your Twitter account.
The recent spate of Twitter account hacking might not have anything to do with LinkedIn, though. In the past we’ve seen everything from cross-site scripting attacks (notably the StalkDaily and various Mikeyy Twitter worms from a few years ago) to phishing links sent from friends’ hacked accounts or random shill accounts.
There have also recently been rogue applications that sent spam tweets from affected users’ accounts. Be careful about authorizing apps to interact with your Twitter account. You can check to see which apps you’ve authorized and revoke any that you don’t recognize or don’t use.
Twitter account breaches associated with fake CNBC sites have already been occurring for a couple weeks if not longer, and the problem doesn’t show any signs of slowing down.
I reached out to Twitter yesterday to share my findings and although they didn’t have any specific information about what had caused the breaches, they said they suspected it was the result of phishing.
Twitter recommends that users read their guidance on how to keep accounts safe, and follow @safety for Twitter’s security and safety updates.
FWIW I had same password on linkedin and Twitter and had a similar hack happen to my Twitter account. Both have since been changed and are now different, but makes you wonder.
Thanks for this information. I have a Twitter account that I hardly ever use… I logged in after reading this article, and found four spam tweets sent from my account over the past 8 days. Yikes!
This is a very good article on the cnbc scam, but my information shows that they didn’t start June 6th. I reported this cnbc scam on May 16th and had seen people tweeting links to it a month earlier.
We do know that LinkedIn wasn’t hacked on June sixth due to a user who tweeted on how they had changed their password in the last 3 weeks, yet the leaked password had their old one. So, are they linked? I doubt it. Here is a link to my article http://planetzuda.com/news/2012/05/16/cnbc-email-…
The CNBC scam actually started in mid-may. I reported the CNBC scam on May 16th, however I had seen it previously. http://planetzuda.com/news/2012/05/16/cnbc-email-…. I got one CNBC email scam in the 1st week of May. I first saw a link to a fake cnbc site on twitter about a month ago. While nearly everyone is saying LinkedIn got hacked June 6th, that isn’t accurate. That’s when the public found out. A twitter user tweeted that they had changed their password three weeks before the leak, yet their old password was the one leaked. That’s what was reported on Security Now, a show on http://twit.tv. So with this info, it is possible that the LinkedIn leak and the twitter cnbc spam may be connected, but I don’t believe they are.
I first saw this scam in January 2012 when I was the spam filter at work. I have received it in emails from friends' hacked accounts a few times since. I wondered how the spammers knew where I lived – now I know.
It boils down to TBYC (pronounced teebick), an acronym I just coined. It stands for Think Before You Click.
I have been using the ‘net since it was white text on a black screen.
I can safely say I’ve seen it all. The rest, social networks, twit type accounts, real emails, and gin-mail accounts all need a TBYC icon popup.
I am amazed at just how easy it is for hackers, scammers, and spammers to this day continue to con the masses.
TBYC
I
When someone writes an post he/she retains the image of a
user in his/her mind that how a user can know it.
So that’s why this piece of writing is perfect. Thanks!
Had my Twitter account hacked, hadn't used it in 6 months, not linked to any other accounts. All I can think is that they brute forced it or broke into Twitter as I've not has any phising scams
Once compromised, all they did was send out some spam tweets about diets
Just got this fake CNBC item today !! Seemed odd, considering the supposed sender.
Also the 'too good to be true' certainly applies. So if its too good…., then it is.
An TBYC is also a good motto to follow.
Think this site is super. Thanks.