Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

TweetDeck Scammers Steal Twitter IDs Via OAuth

Users who give up their TweetDeck ID are promised 20 followers for free or 100 to 5,000 new followers a day for five days.

Scammers are abusing Twitter's TweetDeck tool as part of a scheme that has roped in thousands of Twitter users, according to Bitdefender.

The scammers, believed to be from Turkey, are profiting from users' desire to increase their Twitter following. In the past month, the scammers have registered dozens of sites dedicated to the scheme and promoted them through Twitter Trends.

On the site, the scammers ask the victims for a Twitter username and lure them with an offer to purchase new followers or get them for free. Those who click on the free option get 20 followers immediately. Those who pay the premium are promised 100 to 5,000 new followers a day for five days. To get the new followers, users must authorize the TweetDeck. In the process, the scammers make off with the users' authentication tokens and receive TweetDeck's permissions without the users' knowledge.

Bitdefender online threats researcher Andrei Serbanoiu says the scammers are using an old trick to abuse the Twitter OAuth standard in the application programming interface.

"OAuth is practically an authentication protocol that allows users to approve apps to act on their behalf without sharing their password," he says. With follower schemes, scammers hijack tokens by abusing this protocol that authenticates Twitter's legitimate app TweetDeck. Researchers have been issuing warnings for a while about this ability to craft special links that may open Twitter app authorization pages for legitimate apps.

"When hijacked, these requests specify the attacker's server as a callback URL, redirecting Twitter access tokens to the attackers' command and control center," Serbanoiu says. "Tokens may be as valuable as passwords and may be used to add Twitter clients to follower bots. Scammers may also post on their behalf, follow other accounts, and even read and send private messages."

Unlike other follower scams, this scheme actually does deliver additional followers -- something that has become a bit of a business. According to researchers at Barracuda Labs, the price for buying Twitter followers has dropped to $8 per 1,000 followers.

"One thing we have noticed is that fake Twitter accounts are better at disguising themselves to look more like real accounts," says Dr. Jason Ding, research scientist at Barracuda Labs. "They have begun to engage in conversations, retweet, comment, and favorite tweets in order to look like a real account. Additionally, we have seen the prices for fake Instagram followers and Facebook likes drop more than 30% in the last six months. We believe this indicated that the owners of these fake followers may have found some effective ways to easily create lots of fake followers and likes on these platforms."

To reduce the number of hijacked accounts, Serbanoiu says, Twitter has implemented two-factor authentication and started to educate the public better. "As other social media platforms, they try to cope with security issues on a regular basis. However, cyber criminals have a prosperous business to keep, so they continue to create new scams as fast as they are taken down."

Bitdefender advises users who were tricked in the scam to uninstall TweetDeck and reauthorize it, and run a security scan to check for malware on any devices they used to log into Twitter.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/9/2014 | 11:29:54 AM
Re: onliune jobs
@gev  We're keeping an eye on that, but if you ever see spammers feel free to drop us a line to point them out.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/9/2014 | 11:28:16 AM
Can't help myself...
Okay I know this is tangential, but I can't help but make a small gripe about how silly the marketing industry is getting. Advertisers are more likely to buy ads/sponsorships if a company has a bunch of Twitter followers, even if the company simply buys a bunch of "followers" that might not even be real people or people who are legitimately interested in the brand. 

A scam like this is easy because it feeds on this foolishness.
gev
50%
50%
gev,
User Rank: Moderator
6/9/2014 | 9:34:49 AM
Re: onliune jobs
While you highlight Tweeter security problems, scammers are posting their spam messages right here.

I have seen a lot of these spam posts on zdnet, but this site is about security, and yet the same spam messages appear here, at the dark reading :-(

Physician, heal thyself !
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
6/6/2014 | 5:26:29 PM
Valid vs Scam Tweet Deck users
How are we to discern between valid and scam tweetdeck requests? I am not as familiar with twitter. Or is tweetdeck in general the vulnerability? Either way, resintalling tweetdeck is definitely a good idea since it uses dual factor authentication even if you have not been exploited.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...