Every now and then it’s common to see spam messages on Twitter promoting some weight loss pill or dating site, but this Thursday hundreds of tweets flooded Twitter promoting a weight loss “miracle pill”.
The attack started at approximately 10pm UTC and initially showed up as regular users tweeting the message, “If I didn’t try this my life wouldn’t have changed.” The link was a carefully parsed URL made to appear as though it was a link for a women’s health website, while the actual URL led users to a spoof women’s health magazine site.
The spoof page appears as a typical spam-site meant to trick visitors into buying the product, but it is uncertain whether the site might also install malware or otherwise compromise the visitor’s machine.
Hundreds of Twitter Users Hacked
An early clue as to the source of the attack came from Dan Goodin of Ars Technica, who reported that nearly all of the earliest tweets were linked to the social network WeHeartIt.com. This indicated that the first compromised accounts might have come from the social network, but later tweets were also sent from other apps and services, so it wasn’t clear what directly caused the mass of hacked Twitter accounts. However, We Heart It President Dave Williams did inform Ars Technica that the We Heart It had detected “malicious activity” on its network and was investigating the cause.
Within hours of the attack, Twitter flagged the link as potentially harmful, while at the same time We Heart It initiated a temporary disabling of all sign-in and sharing features via Twitter until the issue was identified and resolved.
The website link that readers were sent to was (hxxp://www.womenshealth.com-april22.us/miracle-garcinia), which parses out to the source website april22.us. The registered owner of that domain is a Jake Swagger of San Francisco, California. The fact that the name is not cloaked and easily identifiable through a simple Whois lookup implies that either the website itself was likely hacked or the registration information is fraudulent. MakeUseOf queried the contact email for the domain, and it bounced back as an invalid Yahoo account.
This incident reveals the risk of connecting too many external accounts and services to accounts like Twitter and Facebook. Once one of those accounts is compromised, Facebook and Twitter passwords are also at risk.
Users who made use of We Heart It in the past should immediately change their passwords to protect from account hijacking, and to prevent further spread of the attack.