03:30 PM

TweetDeck Scammers Steal Twitter IDs Via OAuth

Users who give up their TweetDeck ID are promised 20 followers for free or 100 to 5,000 new followers a day for five days.

Scammers are abusing Twitter's TweetDeck tool as part of a scheme that has roped in thousands of Twitter users, according to Bitdefender.

The scammers, believed to be from Turkey, are profiting from users' desire to increase their Twitter following. In the past month, the scammers have registered dozens of sites dedicated to the scheme and promoted them through Twitter Trends.

On the site, the scammers ask the victims for a Twitter username and lure them with an offer to purchase new followers or get them for free. Those who click on the free option get 20 followers immediately. Those who pay the premium are promised 100 to 5,000 new followers a day for five days. To get the new followers, users must authorize the TweetDeck. In the process, the scammers make off with the users' authentication tokens and receive TweetDeck's permissions without the users' knowledge.

Bitdefender online threats researcher Andrei Serbanoiu says the scammers are using an old trick to abuse the Twitter OAuth standard in the application programming interface.

"OAuth is practically an authentication protocol that allows users to approve apps to act on their behalf without sharing their password," he says. With follower schemes, scammers hijack tokens by abusing this protocol that authenticates Twitter's legitimate app TweetDeck. Researchers have been issuing warnings for a while about this ability to craft special links that may open Twitter app authorization pages for legitimate apps.

"When hijacked, these requests specify the attacker's server as a callback URL, redirecting Twitter access tokens to the attackers' command and control center," Serbanoiu says. "Tokens may be as valuable as passwords and may be used to add Twitter clients to follower bots. Scammers may also post on their behalf, follow other accounts, and even read and send private messages."

Unlike other follower scams, this scheme actually does deliver additional followers -- something that has become a bit of a business. According to researchers at Barracuda Labs, the price for buying Twitter followers has dropped to $8 per 1,000 followers.

"One thing we have noticed is that fake Twitter accounts are better at disguising themselves to look more like real accounts," says Dr. Jason Ding, research scientist at Barracuda Labs. "They have begun to engage in conversations, retweet, comment, and favorite tweets in order to look like a real account. Additionally, we have seen the prices for fake Instagram followers and Facebook likes drop more than 30% in the last six months. We believe this indicated that the owners of these fake followers may have found some effective ways to easily create lots of fake followers and likes on these platforms."

To reduce the number of hijacked accounts, Serbanoiu says, Twitter has implemented two-factor authentication and started to educate the public better. "As other social media platforms, they try to cope with security issues on a regular basis. However, cyber criminals have a prosperous business to keep, so they continue to create new scams as fast as they are taken down."

Bitdefender advises users who were tricked in the scam to uninstall TweetDeck and reauthorize it, and run a security scan to check for malware on any devices they used to log into Twitter.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sara Peters
Sara Peters,
User Rank: Author
6/9/2014 | 11:29:54 AM
Re: onliune jobs
@gev  We're keeping an eye on that, but if you ever see spammers feel free to drop us a line to point them out.
Sara Peters
Sara Peters,
User Rank: Author
6/9/2014 | 11:28:16 AM
Can't help myself...
Okay I know this is tangential, but I can't help but make a small gripe about how silly the marketing industry is getting. Advertisers are more likely to buy ads/sponsorships if a company has a bunch of Twitter followers, even if the company simply buys a bunch of "followers" that might not even be real people or people who are legitimately interested in the brand. 

A scam like this is easy because it feeds on this foolishness.
User Rank: Moderator
6/9/2014 | 9:34:49 AM
Re: onliune jobs
While you highlight Tweeter security problems, scammers are posting their spam messages right here.

I have seen a lot of these spam posts on zdnet, but this site is about security, and yet the same spam messages appear here, at the dark reading :-(

Physician, heal thyself !
User Rank: Ninja
6/6/2014 | 5:26:29 PM
Valid vs Scam Tweet Deck users
How are we to discern between valid and scam tweetdeck requests? I am not as familiar with twitter. Or is tweetdeck in general the vulnerability? Either way, resintalling tweetdeck is definitely a good idea since it uses dual factor authentication even if you have not been exploited.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-06
libstagefright in Android before 5.1.1 LMY48T allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 21335999.

Published: 2015-10-06
Bluetooth in Android before 5.1.1 LMY48T allows attackers to remove stored SMS messages via a crafted application, aka internal bug 22343270.

Published: 2015-10-06
mediaserver in Android before 5.1.1 LMY48T allows attackers to cause a denial of service (process crash) via unspecified vectors, aka internal bug 22954006.

Published: 2015-10-06
The Runtime subsystem in Android before 5.1.1 LMY48T allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23050463.

Published: 2015-10-06
libstagefright in Android before 5.1.1 LMY48T allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 23213430.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.