One-Click Fraud for Smartphones Abuse Tweets

We have previously discussed how mobile users are led to Japanese one-click fraud by clicking on links in spam or through search results on the Web when performing these actions on smartphones. There is also a third vector that is being used these days: Tweets. Let’s discuss how scammers are utilizing the micro-blogging service to lure users to their trap.

Scammers take advantage of Tweets in a way that is similar to how they rely on Internet search engines—they create Tweets that include keywords in them. This is somewhat similar to how they design websites in order to gain visibility for their sites. In order for these sites to appear in search results, scammers need to make the effort to boost visibility, which is known as search engine optimization (SEO). But Tweets may require less effort by the scammers to get users to come across them: new Tweets should appear at the top in the search results list for the most recent Tweets. However, accounts engaging in automation, spam, and other violations of the Twitter Rules may be investigated for abuse.

Users are likely to find a malicious Tweet by searching for pornographic words, just like they can in websites searches. Below is a list of example Tweets leading to one particular fraudulent site. At the time of writing, there were 100 accounts tweeting around 300 Tweets with bad links every hour. When you discover a spam account you can report the @username for spam, and Twitter will review the account in question.

Twitter blocks suspected malware URLs and flags suspected harmful shortened URLs, in order to make Twitter more secure and prevent phishing and scams. But some users may be directed to sites such as the one below when clicking on the malicious links using smartphones. These sites typically inform users that they have completed registration for a paid video service and ask that payments be made. Information such as IP addresses, customer IDs, and browsers used to access the page are displayed to make the user believe that the site owner can track them down.

Note that when visiting the link using a computer, users would be redirected to a dating service website rather a one-click fraud site.

Let’s take a look at an example account. As you can see, the account has a lot of followers and it also follows many accounts.

You can see that this account is very active as well. It has posted similar Tweets repeatedly since being created in October of last year, which has amounted to over 14,000 Tweets.

As usage of smartphones continues to grow, scammers will continue to adjust to the trend and develop strategies on the mobile platform. Users need to be aware that smartphones are fast becoming as dangerous as computers and to be on alert for attacks such as these. Symantec works with Twitter to fight against these types of campaigns. While the operation for the Tweets mentioned in this blog has been shut down, users should treat anything suspicious they see on their smartphones in the same manner they would when using a computer. You can easily report spam to Twitter and keep your own account secure by following Twitter's Safe Tweeting tips.