Add this to the pile of bad Twitter news of late. The beleaguered social network has allowed scammers to buy a promoted tweet (essentially a Twitter ad) that leads readers to a phishing scam to harvest their personal information. The irony: The sham tweet masquerades as a legitimate message from Twitter itself. Security company Malwarebytes spotted and analyzed the exploit, which purports to be a message from Twitter encouraging people to apply for verified accounts.
Once reserved for the internet famous, verified accounts were opened up to all users in July, allowing them to apply for that official checkmark confirming that they are who they say they are.
One source of confusion is that the name of the account can be very different from the handle. There are many parody accounts of Donald Trump, for instance. For this scam, the email came from an account named “Verified Accounts” with a blue-and-white icon featuring the famous Twitter bird symbol, but it’s connected to the not-so-official looking handle @Verified845. “Get verified,” it says, and then lists a shortened URL that goes to a bogus Twitter page asking for a bunch of information, including credit card number, expiry date, security code, name, billing address, and contact email.
The damage wasn’t too bad. Just 812 people (534 from the U.S.) clicked the link from Friday to Monday morning, according to Malwarebytes, and it’s not clear how many people may have given up their info to the scammers. But it’s embarrassing to Twitter and highlights the danger of its paid promotion for Tweets. Not that Twitter is unique: Ads and promoted content on all types of Web sites have long been a source of bogus links, often to malware-hosting sites. Those often come from giant automated ad networks that the sites don’t directly control. The difference here: This goof happened in Twitter’s own ad program.