Skip to content

I Sent You a Spam DM on Twitter

This morning, I received a SPAM direct message on Twitter, and of course, I thought that the person’s account had been somehow compromised, and as usual, I sent a small tweet saying, “Your account has been compromised, you might have to change your password”.  An instant later, I received a tweet from the same person, saying that he actually received multiple DMs from his followers including me, with the same or similar links. 

As a usual procedure, I checked my account, changed my password, checked my phone for some login text from tweeter, and looked if these messages appeared in my DM list.  My phone had not received any login text from twitter, and I had not send any DM to anybody. The only possibility left, “There is a way to sp00f messages from your followers”.

By curiosity, I decided to look the purpose of the link,  and without opening the DM, I copied the link into VMware, and opened it in my “lab” virtual machine, and this is what I found out :


Analysis :

I started by opening the link in firefox and was redirected to a “Financial Website”.

Financial Spoofing website

Financial Spoofing website

At first sight, the website, could have looked legit, however, there had been multiple redirection before I landed onto that page. The link received in the direct message, was supposed to be a website hosted by OVH, selling mechanical solutions. The information about the website was obtained via netcraft.

Netcraft Infos

Netcraft Infos

Following these informations, OVH was contacted,  to let them know that one of their client’s website had been compromised., hoping they would contact them, and let them know that their website had been partially deleted and modified, for malicious purposes.

To have an idea how the redirection was made, I downloaded the “Request Policy” add on for Firefox. Allowing me to avoid being redirected when visiting the link embedded in the the Direct Message.

In the sources, the following script was found :

The script, is easy to understand, there are four URLs that are chosen randomly, and the user is then redirected following the one picked by the script, this page, then again redirects the user to the last page (the fake financial website). Although, in between a fourth page is loaded forcing the user to visit a page generating revenues. The same technique is used for every links the “financial website” contains.

I am thus guessing that the only purpose of theses DMs SPAM are to generate money, from the clicks, although, I have not been able to reproduce the “spoof messages” techniques that was used to send DMs to my followers.

A brief conclusion:

  • Do not click on links send by DM messages on Twitter, Facebook.
  • Change your password if you did (you never know).
  • Run an antivirus on your computer as prevention.

Twitters accounts have been massively hacked lately,  Twitter must be investigating at the moment how DM are spoofed.

Post a Comment

Your email is never published nor shared. Required fields are marked *