Anatomy of a Twitter malware scam

When a funky Direct Message showed up in my inbox, I had to investigate -- and narrowly missed getting infected with malware. (Kids, don't try this at home.)

So I was innocently surfing the Interwebs a few weeks back, fighting for truth, privacy, and the Internet way, when I got an email alerting me to a direct message from a friend I hadn’t spoken to in years.

It was strange on several levels (and so is my friend – but I digress). The first strange bit was the message itself, which made no sense: “heh u didn’t see them tapping u.” OK, fine, whatever.

twitter dm spam1-450p.png

Strangeness no. 2: It showed an alleged Facebook link. Rolling over the link with my cursor showed a truncated URL using Twitter’s service at the bottom of my browser – which would be OK, except that the URL didn’t start with http or https.

Something smelled a little phishy to me. So, being stupid, I clicked on it. That took me to the following fake Facebook login page.

twitter dm spam2-facebook login-600p.png

Gee Toto, I don’t think we’re on Facebook anymore. The URL at the top of the screen leads to a subdomain at some site calling itself Immediately it becomes clear that whoever is running this scam a) isn’t very bright, and b) is hoping I am also not very bright.

OK, I thought, this is simple enough: It’s a phishing scam designed to steal my Facebook login credentials. So I entered some gibberish into both fields, just to see what would happen. (I told you I was stupid.) Here’s what came up next:

twitter dm spam3-driveby download-600p.png

So this was a faux Facebook page with a faux YouTube video embedded in it, which was really just a come-on for me to do a drive-by install of what would undoubtedly be some nasty bit of malware. At this point I stopped clicking.

Even I am not that stupid.

I give the spammers credit for attempting to make it look like a real Facebook page. But none of those ads on the side were live – they were just graphics. And “Youtube” is usually spelled with a capital T in the middle.

But I had to wonder: What the hell is a Twitterwink? So I visited that page and found this:

twitter dm spam4-twitterwink home page-600p.png

Yeah, I don’t know what that’s supposed to be, either. The site was registered to a “Jill Nelson” of “Beaverly Hills, CA.” But the real story was in where it was hosted:, a Russian Web host with a less-than-pristine reputation, to put it mildly, for hosting malware and other criminal activities.

By now, all of this is moot. The links to these sites are all dead; Twitterwink now just shows a blank page for 2x4. Either these guys got caught or, more likely, they moved on to new scams and new domains.

I warned my friend about the Twitter hijacking and, hopefully, he changed his password. But this is a particularly insidious scam because it comes via Twitter Direct Messages, which are likely to be more trusted by more people. And as I also got similar scam DMs via another Twitter handle I use, it’s safe to say this is hardly an isolated incident.

Today’s lesson? Always be wary of anything that looks a bit funky. Don’t automatically trust Twitter DMs, especially ones with links in them. Look closely at URLs whenever you do decide to click. And, above all, don’t be stupid. Unlike me.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Now read this:

Facebook botnets have gone wild

Inside a Facebook botnet

When blonde zombies attack, Facebook responds (sort of)

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon