# Twitter scam exploits users' lack of Internet savvy



## Glaswegian (Sep 16, 2005)

Security firm Sophos is warning that a new scam is spreading virally on Twitter and a significant number of people have already fallen for it.

The Online Timer scam claims to measure how long users have spent on the Twitter website. It spreads via seemingly innocuous Twitter messages along the lines of "I have spent 30 days, 14 hours on Twitter. How much have you? Find out here", followed by a shortened link to a malicious website.

Anybody who clicks the link is directed to a website that requests to connect to the user's Twitter account in order to measure their usage. However, the first thing it actually does is post the same message in the user's feed, this time with a different and seemingly random time measurement but with the same link.

Oblivious to this happening, the user is rewarded with a pop-up window that claims to show how many views the user's account has had. Again, the number appears to be random. By way of the main payload a pop-up window then appears offering an IQ test, which it claims the user must complete to defeat spam and "verify you are not a bot". Upon completion of the survey, users are requested to enter their mobile phone number to receive further questions although the small print says that users will be sent four text messages a week at a cost of $2 each.

It's a clever scam that tiptoes effectively through the minefield of credulity. It's not hard to see why people would fall for it, although it's good to see that the savvy and urbane "Twitterites" perhaps aren't that much brighter than the grass-grazing Facebook multitude.

I've always had a quiet admiration for malware writers who manage to succeed. A good attack vector is a piece of pure wit, like a good joke; it manages to bypass our defenses and draw us in. Of course, if the malware is destructively malicious rather than just annoying then my admiration is a little tempered.

The new Twitter malware follows a scam that works in a similar way, except offering a survey rather than a quiz. Another similar scam claimed to show who was stalking individuals. It's obvious that the same organisation is behind each of the attacks.

In many ways, it's surprising it's taken so long for Twitter to be targeted like this. Because of the requirement to stick to 140 characters in each message, most people use URL shortening services. This leaves those clicking the link with absolutely no idea where they're going to end-up (and most of us have learned to have one eye on the status bar whenever we hover over any link).

Twitter is trying to combat this with its t.co service, which claims to be safer. This checks URLs against a list of known malicious sites and the full URL appears in Tweeted messages. However, t.co is clumsy and confusing to use. To generate a link, you have to precede the original link in your browser bar with http://twitter.com/share?url= for example, and it currently doesn't provide metrics to end users (that is, a measure of how many people have clicked the link). Thus, many people stick with rival services bit.ly and goo.gl, the latter being offered by Google. It's possible to wrap bit.ly or goo.gl link in a t.co link but then the process of making a quick tweet becomes annoyingly protracted.

Additionally, Twitter relies on users to verify the authenticity of sites that want to "connect" to a user's account. As is becoming clear, users simply aren't scrupulous enough. Many simply don't care. On both Facebook and Twitter, users are encouraged to allow connections from trivial sites and applications as part of day-to-day use.


Continued here > > > Twitter scam exploits users' lack of Internet savvy - Feature - Techworld.com


----------

