Twitter Sponsored Tweet System Used And Abused For Credit Card Phishing Scams

Twitter needs to get a handle on its Promoted Tweets feature and it needs to do it quickly. The problem has to do with vetting, or lack thereof. We don't know how widespread the problem is, but there is at least one Promoted Tweet going around that is nothing more than a phishing scam preying on the desire of Twitter users to have a verified account.

The microblogging service previously reserved restricted accounts for Twitter users that it identified on its own as being worthy of such a badge, typically celebrities, famous athletes, popular media personalities, and other prominent users. A little over three months ago, Twitter went live with an online application process so that anyone could make a pitch as to why they should have a fancy blue checkmark on their profile. Twitter still makes the ultimate decision, but users can now apply for consideration.


A phishing scam making the rounds uses the name "Verified Accounts" under the handle @Verifed845 to spread a link that directs users to a deceitful website. The Twitter post says, "Get Verified. Go to [malicious link]" and contains a couple of telltale signs that something is amiss, the first of which is the typo in the Twitter handle. Should you miss that, you might be suspicious that of the link, which is shortened with Google's URL shortening service rather than letting Twitter shorten what supposedly (but really isn't) its own link.

A person could be forgiven for missing those signs because the Twitter post isn't a regular tweet, but a promoted one that advertisers can buy to promote their product or service. In its rush to make a buck, Twitter failed to properly vet this particular tweet.

Indeed the scheme is working, albeit in limited capacity. Malwarebytes ran some analytics and found that over the course of 3 days, the link was clicked on by over 800 people, almost all of which came from the sponsored post on Twitter. That's not many in the grand scheme of things, but it is still startling that Twitter could let something like this slip through.

Those who clicked on the link were directed to a website posing as a Twitter Verification application. There are fields to fill in your username, email address, company name, phone number, password, credit card details, and more.

Bottom line? Keep your head on a swivel, folks.