Spammers play dirty – hijack Twitter accounts once again

Graham Cluley
Graham Cluley
@[email protected]

Spammers are up to their dirty tricks once again on Twitter, using compromised accounts to send direct messages to unsuspecting users of the micro-blogging network.

A number of Twitter users are reporting receiving private direct messages (known as “DMs” in Twitter-parlance) from friends and acquaintances on the Twitter system. Example messages include the following:

lol it's amazing. look and feel great with [link removed]

whoa this works. i feel good and look good. [link removed]

Sign up to our free newsletter.
Security news, advice, and tips.

Clicking on the links take you to a website offering a colon cleansing solution, which apparently can help you shed pounds:

Clean Colon webpage

If you scroll down the webpage you are offered testimonials and promotional videos, promoting the wonders of having your colon cleansed by the company’s miracle product.

Clean Colon webpage asking for personal information

It’s possible that the spammers are affiliates of the website, skimming money off the top – the more people they get to visit the site and enter their personal information, the more commission they will earn.

But you should still be thinking twice about offering your name, address, telephone number, email contact and credit card details to these guys, however much you want to lose weight by cleaning out your colon.

But because these messages are sent to you via Twitter from a friend’s account you may well be more open to trying out the product, or at least clicking on the link. It’s a confidence trick, of course, and one which the spammers love to exploit.

So, what should you do if you find your Twitter account has been sending out messages like this?

1. Change your Twitter password – immediately. If messages are being sent from your account it means hackers can also access your details and read your past messages (including private ones). Oh, and make sure you choose a sensible non-dictionary password that’s hard to guess.

[vimeo 3546084]

Simple tips for better web password security from SophosLabs on Vimeo.

2. Do you use your Twitter password on any other websites? Tut tut. Some 33% of people use the same password on every website they access. That means if hackers work out your password on one site, they can use it to open other website account you own too (think of your Hotmail, Gmail, PayPal accounts, etc)

3. Scan your computer with anti-virus software just in case you have malware on it. It’s possible keylogging spyware grabbed your password as you typed it in.

4. Never ever enter your Twitter password on any third-party websites. They could either be run by bad guys or, simply, be not properly secured. Either way, why risk giving them your Twitter password? Third party websites that work alongside Twitter and take security seriously won’t need your password, they’ll use OAuth instead. Learn about Twitter and OAuth here.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.