Attention Twitter users! Be on the lookout for a new spam campaign that claims you can hack your friend’s account.
Christopher Boyd, a malware intelligence analyst at Malwarebytes, explains in a blog post that the spam messages are redirecting would-be hackers on Twitter to visit the following website: hacktwitterpassword[dot]com.
Once the visitor enters a Twitter handle into the site, they are asked to help promote the service by sharing its website on their Facebook wall, liking both of its Facebook business pages, and sharing a promotional message on Facebook, Twitter, and WhatsApp.
“Hack any Twitter account with this awesome website (Y) working 100% I just hacked my friends account wow it worked for me thanks to [URL] Enjoy hacking”
The message won’t fit in a tweet, but it’ll work in a DM and countless other social media posts.
After “retrieving” the submitted Twitter handle’s corresponding password, the website generates a file named pass.txt.
But there’s a catch. Visitors to the site will not be allowed to read that file, which is almost undoubtedly NOT someone’s hacked Twitter password, until they choose to complete a survey.
There are so many things wrong with this spam campaign.
First, a Twitter user has no business looking for ways to compromise other people’s accounts.
Second, that aspiring bad actor makes the mistake of placing their trust in a questionable website, where they decide to fill out forms, click on links, download files to their computer, and in some cases even enter login credentials for their own account. Bad idea, especially if they are attempting to compromise someone’s account and not get compromised themselves!
Boyd explains that scams have disguised themselves as ways to hack social media accounts in the past, knowing there is an eager audience keen to learn how to do it:
“Hack social media account x” websites have been around for a long time, and consistently fail to pony up the (stolen) goods. Don’t waste your time adding a few cents a pop into the pockets of somebody trying to get rich quick. At best, you’ll have wasted your time and lost a few friends due to spamming them with nonsense; at worst, you’ll have lost your account and / or have handed over your personal details to spammers, alongside installing programs you didn’t actually want.”
If you come across a message belonging to this spam campaign, hover your cursor over the tweet in question, click on the three circles displayed horizontally towards the bottom of the tweet, and report the message to Twitter’s anti-spam center.
Additionally, make sure you stay on the lookout for these other Twitter spam campaigns.
I'm almost inclined to say they deserve it (unless they were compromised first even if by foolishly sharing their password with someone). If this did not involve spamming I would say it serves them right. Certainly they aren't a good friend and it seems to me they don't have a (completely?) working moral compass. If their 'friend' finds out it will do the friend some potential harm (presumably) but it would do this bad actor some good – by teaching them a lesson the hard way (assuming they will actually take it to heart).
One thing that these types of campaigns reveal (and everyone should remember this): no matter how many people you think will not try to harm you there will always be some who will (and they need not be friends) – possibly including those you trusted (and would have defended them if someone made such an accusation against them). It might be a harsh reality but it is still reality (the problem being mankind).