A Promoted Tweet claims it can help Twitter users get their accounts verified, but in reality, it's just a scam. Promoted Tweets are a way by which Twitter users can pay for a Tweet to reach a wide audience and generate engagement with their current followers. As such, they are an excellent tool for anyone looking to advertise something. Unfortunately, Promoted Tweets are also useful for scammers looking to steal users' Twitter credentials. Christopher Boyd of Malwarebytes came across one such scammy Promoted Tweet on 28 October.
In three days, at least 812 people clicked on that tweet. 644 users did so on their iPhones, with 534 of those based in the United States. Sure enough, the shortened URL leads to a phishing page where it advertises the ability to help Twitter users get their accounts verified. Here's what the phishing landing page says, as quoted by Malwarebytes:
"Welcome to Twitter Verification "Hundreds of millions of people use Twitter to discover what’s happening in the world. Twitter can help you connect with them and achieve meaningful results. "Being verified is more than a cool badge on your profile, it signifies authenticity and ensures the community that you are an official acount." [SIC]
The scam then takes users through a series of pages where it asks for their personal information including their username, password, and email address. It does all of this under the guise of two pages that are protected by SSL. When the ruse asks for users' payment card details, however, it drops the act and includes insecure content. Hopefully, some users will notice that lack of protection and won't enter in their financial information. Considering the scam is still active as of this writing, it's more important than ever for users to learn how they can spot scams on Twitter like the attack campaign targeting customers of UK banks. Users should be especially on the lookout for content that asks for their login credentials or financial information. As Boyd explains
"Whether links you see on Twitter are served up by friends, strangers, or even sponsored content placed there via Twitter itself, never take them for granted – the moment you see a site asking for login credentials and / or payment information, think very carefully about your next move. 'Trust, but verify' has never seemed quite so relevant…"
Anyone who's fallen victim to this scam should change their Twitter password immediately, implement two-step verification (2SV) on their account, and carefully watch their payment card statements for any indication of fraud.
