Cyber criminals use promoted tweets to steal credit card details

Cyber criminals are using promoted tweets to trick users into handing over their credit card details, according to security experts.

Researchers from Malwarebytes spotted the scheme, which takes advantage of the social network's advertising system appear more legitimate to its victims.

Late last week, they observed a promoted tweet from an account designed to look like Twitter's own, purporting to offer users the chance to become verified.

However, the included shortened link, which was clicked by more than 800 people, led to a phishing site that asked them for their personal information.

After handing over their usernames, email addresses, company names, phone numbers and passwords, users were then asked for their card details.

“At the point where the site is asking for payment information, our browser flags the page as containing content which is not secure, which may help to steer at least a few victims away from disaster,” wrote Malwarebytes’ Christopher Boyd in a blog post.

“Things aren’t going to plan for Twitter right now, and the last thing the service needs is a bunch of phishing links served up via sponsored tweets.

“Whether links you see on Twitter are served up by friends, strangers or even sponsored content placed there via Twitter itself, never take them for granted.

“The moment you see a site asking for login credentials and/or payment information, think very carefully about your next move.

“‘Trust, but verify’ has never seemed quite so relevant.”

Boyd noted that while many malicious sites immediately trigger browser warnings, the fake Twitter verification site was delivered over a HTTPS connection.

The scam is similar to one that Tinder users were warned about back in July.

Spam bots on the service attempted to convince users to “verify” their accounts on rogue websites that actually signed them up for pricey subscription services.

For more on the threat, see the Malwarebytes blog.