Category Archives: Twitter

About the Twitter diet spam

Quite many Twitter users have recently seen messages similar to this:

I lost my 15 pounds and my belly fat using free garcinia: http://womenshealth.com-ar1(.)info 🙂

This  diet spam campaign has been running for quite some time. If you are not familiar with the topic, please read this article  by Softpedia. Read also: Another day, another round of diet spam on Twitter by Graham Cluley.

This blog post contains some additional information.

Here is a list of domain names and links spammers have been using – note that the list is most likely not complete.

30-Jun update: it seems diet spammers are now also using hacked web-sites making it more difficult to spot and block the domains. Many hacked web-sites are using an old version WordPress. Most likely hackers have installed the malicious redirect-script by using a known vulnerability. List of spotted links can be found below (bold).

  • com-15.us, com-11.us, com-10.us, com-17.us, com-16.us, com-14.us
  • org-17.us, org-18.us, org-10.us, org-13.us, org-14.us
  • net-10.us, net-11.us, net-12.us, net-13.us, net-16.us, net-15.us
  • com-expo.in
  • com-mgc1.pw
  • com-wen.pw
  • com-ar1.info
  • com-ar2.info (28-Jun – including cnbc.com-ar2.info which is not diet related)
  • com-garcinia-diet.net
  • com-article-diet.net
  • com-articles-diet.net
  • com-gc.net
  • com-lifestyle-article.net
  • com-sat.pw
  • com-may.us, com-april.us, com-june.us
  • tumblrhealth.me
  • com-news-garcinia.net
  • com-c.pw (womenshealth.com-c.pw – reported as a web forgery)
  • com-0624.net (weightloss.com-0624.net)
  • com-06-24-12.net (loseweight.com-06-24-12.net)
  • net-2.us, net-18.us (28-Jun)
  • com-lot.pw (28-Jun)
  • com-indexrx.us (29-Jun)
  • com-mo.com (29-Jun – links appear to be broken)
  • toysoncam.com/pbdv.php (30-Jun – most likely a hacked site)
  • nameconnect.com/semk9.php (-,,-)
  • ericabodinepottery.com/7l2bv.php (-,,-)
  • tacticalgearmanufacturer.com/brlue.php (-,,-)
  • thoreast.com/gqhqc.php (-,,-)
  • tugbucket.net/qbgb.php (-,,-)
  • suttoncoldfieldconservativeclub.com/124e3.php (-,,-)
  • baliseawalker.com/c1g09.php (-,,-)
  • balirc.com/3d0f.php (-,,-)
  • bibliofreakblog.com/70nup.php (-,,-)
  • baliwatersport.com/3ojnp.php (-,,-)
  • obligationagent.com/9zkxe.php (-,,-)
  • primsydoodledesigns.net/8pk4l.php (-,,-)
  • annuaire4web.com/yuvdh.php (-,,-)
  • tolucabaseball.com/96pf6.php (-,,-)
  • barsoftball.com/hlf4w.php (-,,-)
  • mygoalfriend.com/v45z.php (-,,-)
  • stamfan.com/ip5mx.php (-,,-)
  • prestigeplus.rs/xtcdo.php (-,,-)
  • shetlandpeople.com/h2o9q.php (-,,-)
  • nexgen-capital.com/wosz5.php (-,,-)
  • psblog.org/ev8wh.php (-,,-)
  • radiointel.net/iav16.php (-,,-)
  • wp3theme.wpfeed.com/wp-content/plugins/zz53f.php (-,,-)
  • digisoft.nl/vijverbergers/z2kks.php (-,,-)

Spammers use sub-domains in order to fool users e.g. womenshealth (womenshealth.com-ar1.info), healthywomen (healthywomen.com-garcinia-diet.net), dieting.com-articles.net, loseweight.com-news-garcinia.net etc. Please note that womenshealth.com and healthywomen.com do not have anything to do with these spam domains. It is relatively easy to spot the spam if you pay attention to the full domain name.

(WOT) Web of Trust maintains a list of spam domain names. @JoshMeister has published a list of domains and links in his blog.

Other tricks

Spammers have also used other tricks such as open redirect vulnerabilities and Google search. More information in E hacking news. At least one open redirect vulnerability has not been fixed yet: wzus1.ask.com. In these cases the domain (e.g. http://ask.com/) is most likely not malicious. Spammers simply misuse a known vulnerability to get users to visit spam sites without realizing it – before it is too late. Example post:

open redirect Twitter spam example

The spam tweets or DMs may come from your followers, unknown persons or even from people you know. There are many “spam bot accounts” involved. But the most worrying part in this campaign is the hijacked user accounts. It is not clear how the accounts were compromised.

Twitter instructions for reporting spam: https://support.twitter.com/articles/64986-how-to-report-spam-on-twitter. Reporting account for spam could be difficult in case the tweet originates from a known person or a friend. It might be also ineffective: the account will not be suspended automatically.

On 26th of June CEO of Twitter, Mr. Dick Costolo (@dickc), reacted to user complaints on Twitter: “we are on it”. I have not yet seen any other public reactions or instructions from Twitter.

Similar spam campaigns

Facebook, Tumblr and Pinterest are also affected

Twitter is not alone with this problem. I have read about similar problems affecting Tumblr, Facebook and Pinterest. E.g. http://pinterest.com/kylef1337/wedding-photography/ – contains “wedding photography” with links to scam pages such as www(.)msnbc.msn.com-april.us (main domain name: com-april.us). This one: http://pinterest.com/source/sms.mojgrad.org/ uses another domain: sms.mojgrad.org which redirects users to http://www.womenshealthmag.com-may.us.

Here is an example spam post from Facebook:

diet spam - Facebook Example

Basic instructions

Affected users should change their passwords – yes, all of them – immediately. If that doesn’t stop the spamming, there could be some malicious 3rd party Twitter application involved. You can find instructions on how to revoke access or remove an application from here.

If your account was hacked and tweeted diet spam, it would be interesting to hear about your experiences.

Tagged , ,

Missing Twitter User

I try to follow the hacking scene also on Twitter. Example sources: Cyber War News (or CWN), E Hacking News and The Hacker News. Recently I noticed a Twitter user called @1923Turkz posting information about fake hacks. After my feedback, this user (and some others) got upset and posted some angry feedback and DMs.

But suddenly @1923Turkz was gone or to be more precise, apparently changed the Twitter screen name to “@IBH_CREW”:

@1923Turkz  – from Turkey according to the profile – was now suddenly pointing to completely different account. According to the profile, @IBH_CREW was from Iran, with zero tweets but over 23K of followers.  The account favorites-list suggested that only the account name was changed.

IBH_CREW profileNo magic tricks or l33t Twitter hacks – just a simple screen name change. But this morning IBH_CREW was gone and I could not find any tweets or users that would resemble the original @1923Turkz. Google search to the rescue! Search site:twitter.com @1923turkz – on page 2 I found a working link:

google-twitter-site-searchBut when I followed the link, there was yet another screen name: @TheEvil3st (from Russia…):

theevil3st-tweetNote that the URL still had the original screen name “1923Turkz”.

Luckily there is an easier way to keep track of Twitter accounts: the user ID. A quick look at the API revealed that it is possible to get both the user ID and the screen name using the “status” number (293156809957572610 in this case). Twitter API tells us that the tweet was posted by user nr #1043660580, currently using screen name @PakCyberEaglez (likely to change).

There is also an API for checking the User ID from screen name which in this case confirms that the ID is the same.

it seems Twitter mobile is updated a bit slower so I was able to pull out the tweet with current user information:

twitter-1923turkz-single-tweetUpdate 3

CWN has done some further investigations. The current screen name of @1923turkz is @kwgdeface, pretending to be a hacker group from Kosovo who also commented the issue:

The related Cyber War New posts are now tagged as “Fakers”.

According to other sources, one earlier name of this account was @officialHmei7:

Update 4 : yet another screen name change, now it is @ReZK2LL 

Update 5 : now the user ID resolves to @ChinaBlueArmy

Lesson learned? If you want to hide your Twitter account for some reason like identity crisis, it is better to delete the current account and create a new one. Screen name can be changed, but that has no affect on the user ID. Also, Twitter API is a nice tool.

The thing about lying is, it is quite exhausting – you have to remember a lot. – Rupert Everett

Tagged ,