How Twitter spam steals from Google, Yahoo!

Saturday, March 06, 2010

Chester Wisniewski

B59a51a3c0bf9c5228fde841714f523a

Reposted from: http://www.sophos.com/blogs/chetw/g/2010/03/06/twitter-spam-steals-google/

Scammers have been devising ways to ride on someone else's coattails since the dawn of time. With every new technology they find another way to make money from nothing. Today I am going to highlight a method that involves Twitter, Yahoo!, and Google AdSense.

I was innocently monitoring my Twitter feed last night when I saw someone tweet "Sophos acquires anti-spam specialist ActiveState.: An article from: Software Industry Report hxxp://censored". Interesting... I used to work at ActiveState and know we were acquired in 2003. Something was fishy.

Of course I have nothing better to do on Friday nights, so I decided to look into this a little deeper. First I looked into the profile of the person sending these tweets, and it immediately became obvious it was a Twitter bot of some sort. Picture of a sexy girl, profile name that sounded like a company, and real name of Jack Nellsan. 10,525 tweets as of today, all beginning February 4th. That's 376 tweets per day... an awful lot. Even more concerning is that nearly 1,300 people are following it.

Fortunately the site that all of its links point to does not contain malware. The links lead to a blog operating on WordPress using a plugin called Post to Twitter. That explains the very large number of tweets, as any post to the WordPress blog will auto-generate a tweet that looks legitimate. The next questions were where was it getting the content, and why? It seemed unlikely someone was posting 376 articles every day in large bursts at 40-minute intervals.

From my research and analysis of the site contents, it became clear the site was automatically scraping posts and comments from Yahoo! Answers and merging them into WordPress. It appears that the content may be coming from a few other sites as well, but nearly all of it is from Yahoo!.

Why go to such elaborate measures? The site was created to generate traffic for Google AdSense. With more than 1,000 followers on Twitter and a little bit of SEO, you can generate a lot of traffic and a bit of cash. You could argue I am jealous of the followers (I only have 596), but the real reason I am writing this is to try and provide insight into the ease with which thieves can game the system.

There is no reason the operator of this site couldn't include other affiliate schemes, malware, or redirects to other pay-per-click services. Because of the legitimate appearance of the blog, users seeking answers they would find on Yahoo! Answers may visit these manipulated sites and contribute to the problem.

It's very important to scan all web content coming into your environment, and be skeptical of any links you find on social media sites. Help educate your users on the risks by downloading our free social media kit, the Sophos Threat Beaters toolkit. Oh, and if you use Twitter please follow me (@chetwisniewski). I hate the idea that evil robots are more popular than I am.

Update: Another person just appeared to me who is also trying to make some skin off of others content on Twitter by posting shortened links to his own site (for SEO) and displaying Google Ads as an interstitial page before directing you to the real site. In this case, it is not criminal (no stolen content) just annoying and borderline unethical. Watch carefully for people who only tweet shortened links to their own site and are not known to you.

Possibly Related Articles:
3591
Cloud Security Viruses & Malware Impersonation Phishing Breaches
SPAM Twitter malware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.