Cyber crooks hijacked more than 2,500 Twitter accounts and used them to post links to adult content in an attempt to cash in on affiliate programs that pay for sign-ups.
Symantec researchers spotted compromises of the accounts of an electrofunk band, an international journalist from The Telegraph, and other high profile individuals during the campaign, according to a May 23 blog post.
The attackers often replaced the user's profile picture with that of a scantily clad woman, altered the bio to include links to adult sites, liked tweets, and followed users with the intent of luring those curious enough to investigate the recently altered profiles, the post said.
“If a user visits the compromised profile, they will see tweets that claim to offer free sign-ups to watch ‘hot shows' over webcam, or dates and sexual encounters,” researchers wrote.
The new tweets on the compromised page will contain sexually suggestive photos and shortened links, using either Bitly or Google's URL shorteners, and redirect users to the adult sites, according to the post. The links also include an affiliate tag which identifies where traffic originates from.
“The incentive for the attackers is to drive users to these adult dating websites with the intention of getting users to sign-up for these sites,” Symantec Senior Security Response Manager Satnam Narang told SCMagazine.com via emailed comments. “We estimate that each successful conversion is worth $4.00 per user.”
Researchers noted that several of the compromised accounts were older accounts that were orphaned by their owners and had not sent new tweets in years. The oldest account was registered in December 2007, 27 percent of compromised accounts were created in 2011, and 73 percent were at least four years or older, researchers wrote.
“We suspect that the accounts were compromised as a result of weak passwords and password re-use, where by passwords obtained from other breaches allowed attackers to gain access to these accounts,” Narang said.
Giovanni Vigna, CTO and co-founder of cybersecurity firm Lastline, told SCMagazine he agreed.
“They might have obtained username/password information from a breached music-exchange service and then simply tried the password combination against Twitter,” he said via emailed comments.
Vigna said that a large portion of the compromised accounts being old and barely active further supported the claim.
InfoArmor Chief Intelligence Officer Andrew Komarov contended the credentials came from organized attacks on WEB-applications.
“In many cases, they use such data for checking the affected users credentials across multiple online-services, including social network, in order to monetize it in more scalable way – just one pair of credentials may lead to 10-plus accounts on various services, including Twitter, e-commerce, instant messengers and profiles on various communities,” Komarov told SCMagazine.com via email.
To avoid account compromise, researchers recommended users create a strong and unique password, use a password manager, and consider enabling Twitter's login verification.