On June 6, the same day that the infamous LinkedIn password breach was widely reported, there seems to have quietly begun an epidemic of Twitter account hacking.
That afternoon, I got a direct message (DM) from someone I follow saying “You don’t need any prior experience!” followed by a link. I have followed this Twitter user for three years and had never received spam from him before.
I replied and soon found out that the person still had control of his account. He changed his password on Twitter (and LinkedIn, on my recommendation) and I suggested he revoke authorization for any apps that he may have recently connected with his Twitter account.
That seemed to have resolved the problem. For him, anyway.
Over the next couple weeks, I received three more direct messages from followers whose accounts had been hacked, each containing a link to a similar site:
"Hey, Why work for somebody else?"
"best decision I ever made was checking this out. just click on this link"
"Hey pal, a woman tells CNBC about making money from home!"
Interestingly, one of these users hasn’t even used her Twitter account in almost two years.
In addition to sending DMs, the hacked accounts also publicly posted a similar tweet. Searches of public tweets indicate that thousands of accounts appear to have been hacked as part of this campaign.
First let’s take a look at where the spam links lead. Then we’ll examine how these Twitter accounts may have been hacked.
The spam links
The links in these spam messages lead to what appear to be news articles from CNBC about a mom who works at home and earns $6,795 a month. But wait a second… are these actual CNBC articles?
If you look closely you’ll observe that the domain is not, in fact, cnbc.com. In this case it’s actually com-article****.info, and a “cnbc” subdomain has been tacked onto the front. Thus, “cnbc.com-” deceptively appears at the beginning of the address.
Those familiar with URL formatting are aware that a slash, not a hyphen, comes after the domain portion of a website’s address.
But that’s not all this site does to try to fool the viewer.
The fake news site is coded to dynamically change the city in the headline and the body of the article to match the viewer’s location. It figures this out based on the user’s IP address, which is visible to every Web site you visit. Seeing one’s own hometown in the headline adds to the fake news article’s illusion of credibility.
If someone is deceived by the fake news article and clicks on a link, he or she will be taken to a site that encourages the victim to sign up for a multi-level marketing (MLM) scheme.
There are several pages of negative reviews of this MLM site on Web of Trust and elsewhere. Even if there weren’t, the site’s apparent (though perhaps indirect) affiliation with Twitter account hackers should be a huge red flag.
It’s also interesting to note that the MLM site is “VeriSign Secured” (it has a Symantec SSL certificate) which obviously doesn’t validate the credibility of the site. The website also claims to be “McAfee Secure” but the embedded McAfee widget actually tests a different domain.
The existence of “secured” logos on a webpage is never a good reason to let down your guard and trust a site. For one thing, the kinds of tests conducted by site security validation services are very limited. Furthermore, scammers can easily put fake “secured” badges on their sites.
How are so many Twitter accounts getting hacked?
Unfortunately, it’s not entirely clear how all these Twitter accounts have been hacked.
Given the timing of when I first became aware of this hack-and-spam campaign, I immediately wondered whether it could be related to the LinkedIn password breach. For example, if an attacker gained access to a LinkedIn account that was connected with a Twitter account, and if the LinkedIn user had the same or a similar password on Twitter, the attacker could gain access to the Twitter account as well.
In fact, it’s even possible to post an update on LinkedIn and cross-post it as a tweet on your Twitter account.
The recent spate of Twitter account hacking might not have anything to do with LinkedIn, though. In the past we’ve seen everything from cross-site scripting attacks (notably the StalkDaily and various Mikeyy Twitter worms from a few years ago) to phishing links sent from friends’ hacked accounts or random shill accounts.
There have also recently been rogue applications that sent spam tweets from affected users’ accounts. Be careful about authorizing apps to interact with your Twitter account. You can check to see which apps you’ve authorized and revoke any that you don’t recognize or don’t use.
Twitter account breaches associated with fake CNBC sites have already been occurring for a couple weeks if not longer, and the problem doesn’t show any signs of slowing down.
I reached out to Twitter yesterday to share my findings and although they didn’t have any specific information about what had caused the breaches, they said they suspected it was the result of phishing.