Twitter Promoted a Tweet That Steals Your Credit-Card Details

Twitter has its work cut out when trying to police its sprawling social network: Porn bots, propaganda trolls, and neo-Nazis plague the site every day. But in a novel case, cybercriminals recently leveraged Twitters promoted tweet feature to push a website designed to steal, funnily enough, a bevy of Twitter users personal data.

Jesus Christ, Twitter is promoting a phishing site that claims to offer Twitter verification and asks for your Twitter password, phone number, and credit card information, Mike Wehner, trending news editor from BGR, tweeted Sunday, along with a selection of screenshots of the offending site.

Customers have long been able to pay Twitter to promote certain posts, and increase how many people see them. Marketers typically use the feature to boost their advertisements, giving them a further reach.

Judging by Wehners screenshots, the phishing site first presented a convincing looking, but fake, Twitter page that explained the merits of having an account verifiedor certified as genuine by Twitters internal apparatus.

Being verified is more than a cool badge on your profile, it signifies authenticity and ensures the community that you are an official account, the page reads.

After providing some basic information, the site then asks for a users credit-card number, expiration date, security code, and billing addresslikely enough information for a cybercriminal to then use those payment details elsewhere.

The site now appears to be inactive, only showing a default web server screen, and without any of the phishing content itself.

This specific scam isnt a new problem. Cybersecurity firm MalwareBytes covered a similar tweet and phishing attempt back in October 2016. As MalwareBytes pointed out at the time, that phishing site even had HTTPS-enabledmarked by a distinctive green padlock in a visitors web browsermeaning some victims may have mistakenly thought the site was legitimate. Today, however, as it has become much easier, and cheaper, to load a website with HTTPS, that padlock is no longer a good indicator of whether a website is genuine or not.

Back in 2015, notorious troll and white supremacist Andrew weev Auernheimer used Twitters promoted-tweets feature to spread two messages. A day later, Twitter blocked one of the tweets, citing a ban on ads that deal with violence, hate content, and sensitive topics, The Guardian reported at the time.

We dont comment on individual accounts for privacy and security reasons, a Twitter spokesperson told The Daily Beast in an email, concerning the latest phishing attempt.

Twitter has since suspended the account.

Read more:

Comments are closed.