About the Twitter diet spam

Quite many Twitter users have recently seen messages similar to this:

I lost my 15 pounds and my belly fat using free garcinia: http://womenshealth.com-ar1(.)info 🙂

This  diet spam campaign has been running for quite some time. If you are not familiar with the topic, please read this article  by Softpedia. Read also: Another day, another round of diet spam on Twitter by Graham Cluley.

This blog post contains some additional information.

Here is a list of domain names and links spammers have been using – note that the list is most likely not complete.

30-Jun update: it seems diet spammers are now also using hacked web-sites making it more difficult to spot and block the domains. Many hacked web-sites are using an old version WordPress. Most likely hackers have installed the malicious redirect-script by using a known vulnerability. List of spotted links can be found below (bold).

  • com-15.us, com-11.us, com-10.us, com-17.us, com-16.us, com-14.us
  • org-17.us, org-18.us, org-10.us, org-13.us, org-14.us
  • net-10.us, net-11.us, net-12.us, net-13.us, net-16.us, net-15.us
  • com-expo.in
  • com-mgc1.pw
  • com-wen.pw
  • com-ar1.info
  • com-ar2.info (28-Jun – including cnbc.com-ar2.info which is not diet related)
  • com-garcinia-diet.net
  • com-article-diet.net
  • com-articles-diet.net
  • com-gc.net
  • com-lifestyle-article.net
  • com-sat.pw
  • com-may.us, com-april.us, com-june.us
  • tumblrhealth.me
  • com-news-garcinia.net
  • com-c.pw (womenshealth.com-c.pw – reported as a web forgery)
  • com-0624.net (weightloss.com-0624.net)
  • com-06-24-12.net (loseweight.com-06-24-12.net)
  • net-2.us, net-18.us (28-Jun)
  • com-lot.pw (28-Jun)
  • com-indexrx.us (29-Jun)
  • com-mo.com (29-Jun – links appear to be broken)
  • toysoncam.com/pbdv.php (30-Jun – most likely a hacked site)
  • nameconnect.com/semk9.php (-,,-)
  • ericabodinepottery.com/7l2bv.php (-,,-)
  • tacticalgearmanufacturer.com/brlue.php (-,,-)
  • thoreast.com/gqhqc.php (-,,-)
  • tugbucket.net/qbgb.php (-,,-)
  • suttoncoldfieldconservativeclub.com/124e3.php (-,,-)
  • baliseawalker.com/c1g09.php (-,,-)
  • balirc.com/3d0f.php (-,,-)
  • bibliofreakblog.com/70nup.php (-,,-)
  • baliwatersport.com/3ojnp.php (-,,-)
  • obligationagent.com/9zkxe.php (-,,-)
  • primsydoodledesigns.net/8pk4l.php (-,,-)
  • annuaire4web.com/yuvdh.php (-,,-)
  • tolucabaseball.com/96pf6.php (-,,-)
  • barsoftball.com/hlf4w.php (-,,-)
  • mygoalfriend.com/v45z.php (-,,-)
  • stamfan.com/ip5mx.php (-,,-)
  • prestigeplus.rs/xtcdo.php (-,,-)
  • shetlandpeople.com/h2o9q.php (-,,-)
  • nexgen-capital.com/wosz5.php (-,,-)
  • psblog.org/ev8wh.php (-,,-)
  • radiointel.net/iav16.php (-,,-)
  • wp3theme.wpfeed.com/wp-content/plugins/zz53f.php (-,,-)
  • digisoft.nl/vijverbergers/z2kks.php (-,,-)

Spammers use sub-domains in order to fool users e.g. womenshealth (womenshealth.com-ar1.info), healthywomen (healthywomen.com-garcinia-diet.net), dieting.com-articles.net, loseweight.com-news-garcinia.net etc. Please note that womenshealth.com and healthywomen.com do not have anything to do with these spam domains. It is relatively easy to spot the spam if you pay attention to the full domain name.

(WOT) Web of Trust maintains a list of spam domain names. @JoshMeister has published a list of domains and links in his blog.

Other tricks

Spammers have also used other tricks such as open redirect vulnerabilities and Google search. More information in E hacking news. At least one open redirect vulnerability has not been fixed yet: wzus1.ask.com. In these cases the domain (e.g. http://ask.com/) is most likely not malicious. Spammers simply misuse a known vulnerability to get users to visit spam sites without realizing it – before it is too late. Example post:

open redirect Twitter spam example

The spam tweets or DMs may come from your followers, unknown persons or even from people you know. There are many “spam bot accounts” involved. But the most worrying part in this campaign is the hijacked user accounts. It is not clear how the accounts were compromised.

Twitter instructions for reporting spam: https://support.twitter.com/articles/64986-how-to-report-spam-on-twitter. Reporting account for spam could be difficult in case the tweet originates from a known person or a friend. It might be also ineffective: the account will not be suspended automatically.

On 26th of June CEO of Twitter, Mr. Dick Costolo (@dickc), reacted to user complaints on Twitter: “we are on it”. I have not yet seen any other public reactions or instructions from Twitter.

Similar spam campaigns

Facebook, Tumblr and Pinterest are also affected

Twitter is not alone with this problem. I have read about similar problems affecting Tumblr, Facebook and Pinterest. E.g. http://pinterest.com/kylef1337/wedding-photography/ – contains “wedding photography” with links to scam pages such as www(.)msnbc.msn.com-april.us (main domain name: com-april.us). This one: http://pinterest.com/source/sms.mojgrad.org/ uses another domain: sms.mojgrad.org which redirects users to http://www.womenshealthmag.com-may.us.

Here is an example spam post from Facebook:

diet spam - Facebook Example

Basic instructions

Affected users should change their passwords – yes, all of them – immediately. If that doesn’t stop the spamming, there could be some malicious 3rd party Twitter application involved. You can find instructions on how to revoke access or remove an application from here.

If your account was hacked and tweeted diet spam, it would be interesting to hear about your experiences.

Tagged , ,

8 thoughts on “About the Twitter diet spam

  1. […] expert Janne Ahlberg has been closely monitoring the evolution of the miracle diet spam campaign. Over the weekend, he reported that spam messages […]

  2. Rob says:

    Looks like at least one DM spam sends users to a twitter login page lookalike. I spotted a spam tweet from someone I follow, followed swiftly by a retraction and then –
    “babycow productions @babycowLtd 21h
    Virus in the form of DM from a friend when you click link asks for password verification, shudda known better we have not shed 20Ibs of Fat”

    • jannefi says:

      Many thanks for your comment. Do you happen to have a link to the fake Twitter login page or copy of the DM? If so, please send it to me janne(.)ahlberg at gmail(.)com

  3. Laura says:

    II was told by a friend that my Twitter account had sent spam, but not diet spam. It is now sex-on-the-beach spam – here is the message that was sent: Direct from @[twitteraccountname]: at the moment that the idea of stripping on the beach or http://t.co/dYgtcY3KdD To reply, type ‘DM @[twitteraccountname] [your message]’

    I changed my password, but am worried. Any advice, besides deleting my Twitter account?

  4. jannefi says:

    Thanks for sharing. I don’t think you need to delete your Twitter account. Changing passwords should be sufficient. Please read http://janne.is/2013/07/twitter-account-hack-warning/ for more information

  5. Alli says:

    Dayum just got some dumbass hijacking my twitter. Probably one of those unfollow trackers 😛 I deleted the post, no one cared anyway I was asleep and they knew that. Also I don’t measure weight in pounds those fucking dumbshits.

  6. DuchessofHacked :( says:

    My Twitter & Pinterest accounts were compromised and posted diet spam before I recovered them. Pinterest picked up the strange activity and emailed me alerting me to it as I don’t use Pinterest all the time. I’m unsure how they got control of my accounts as I’m fairly careful and savvy about dodgy links. I believe they got to my Pinterest through the application link from my Twitter. I’ve done a full malware/virus scan on my computer turning up nothing and the only other place I use Twitter from is my iPhone. I’ve obviously changed the passwords but then they had another go at hacking my Pinterest!

    • impermeabili says:

      hey there, same issues here, though with me twitter picked it up and pinterest didn’t. now both my twitter and pinterest were authenicated via ‘connect with facebook’, and i had a third party app called ‘pay with a tweet’, i’m pretty sure that’s the one that shat all over my lovely pinterest boards.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: