Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

TweetDeck Scammers Steal Twitter IDs Via OAuth

Users who give up their TweetDeck ID are promised 20 followers for free or 100 to 5,000 new followers a day for five days.

Scammers are abusing Twitter's TweetDeck tool as part of a scheme that has roped in thousands of Twitter users, according to Bitdefender.

The scammers, believed to be from Turkey, are profiting from users' desire to increase their Twitter following. In the past month, the scammers have registered dozens of sites dedicated to the scheme and promoted them through Twitter Trends.

On the site, the scammers ask the victims for a Twitter username and lure them with an offer to purchase new followers or get them for free. Those who click on the free option get 20 followers immediately. Those who pay the premium are promised 100 to 5,000 new followers a day for five days. To get the new followers, users must authorize the TweetDeck. In the process, the scammers make off with the users' authentication tokens and receive TweetDeck's permissions without the users' knowledge.

Bitdefender online threats researcher Andrei Serbanoiu says the scammers are using an old trick to abuse the Twitter OAuth standard in the application programming interface.

"OAuth is practically an authentication protocol that allows users to approve apps to act on their behalf without sharing their password," he says. With follower schemes, scammers hijack tokens by abusing this protocol that authenticates Twitter's legitimate app TweetDeck. Researchers have been issuing warnings for a while about this ability to craft special links that may open Twitter app authorization pages for legitimate apps.

"When hijacked, these requests specify the attacker's server as a callback URL, redirecting Twitter access tokens to the attackers' command and control center," Serbanoiu says. "Tokens may be as valuable as passwords and may be used to add Twitter clients to follower bots. Scammers may also post on their behalf, follow other accounts, and even read and send private messages."

Unlike other follower scams, this scheme actually does deliver additional followers -- something that has become a bit of a business. According to researchers at Barracuda Labs, the price for buying Twitter followers has dropped to $8 per 1,000 followers.

"One thing we have noticed is that fake Twitter accounts are better at disguising themselves to look more like real accounts," says Dr. Jason Ding, research scientist at Barracuda Labs. "They have begun to engage in conversations, retweet, comment, and favorite tweets in order to look like a real account. Additionally, we have seen the prices for fake Instagram followers and Facebook likes drop more than 30% in the last six months. We believe this indicated that the owners of these fake followers may have found some effective ways to easily create lots of fake followers and likes on these platforms."

To reduce the number of hijacked accounts, Serbanoiu says, Twitter has implemented two-factor authentication and started to educate the public better. "As other social media platforms, they try to cope with security issues on a regular basis. However, cyber criminals have a prosperous business to keep, so they continue to create new scams as fast as they are taken down."

Bitdefender advises users who were tricked in the scam to uninstall TweetDeck and reauthorize it, and run a security scan to check for malware on any devices they used to log into Twitter.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/9/2014 | 11:29:54 AM
Re: onliune jobs
@gev  We're keeping an eye on that, but if you ever see spammers feel free to drop us a line to point them out.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/9/2014 | 11:28:16 AM
Can't help myself...
Okay I know this is tangential, but I can't help but make a small gripe about how silly the marketing industry is getting. Advertisers are more likely to buy ads/sponsorships if a company has a bunch of Twitter followers, even if the company simply buys a bunch of "followers" that might not even be real people or people who are legitimately interested in the brand. 

A scam like this is easy because it feeds on this foolishness.
gev
50%
50%
gev,
User Rank: Moderator
6/9/2014 | 9:34:49 AM
Re: onliune jobs
While you highlight Tweeter security problems, scammers are posting their spam messages right here.

I have seen a lot of these spam posts on zdnet, but this site is about security, and yet the same spam messages appear here, at the dark reading :-(

Physician, heal thyself !
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
6/6/2014 | 5:26:29 PM
Valid vs Scam Tweet Deck users
How are we to discern between valid and scam tweetdeck requests? I am not as familiar with twitter. Or is tweetdeck in general the vulnerability? Either way, resintalling tweetdeck is definitely a good idea since it uses dual factor authentication even if you have not been exploited.
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
Mathew Newfield, Chief Information Security Officer at Unisys,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.