Twitter Promoted a Tweet That Steals Your Credit-Card Details

One ever-so-helpful site promised to help users get Twitter verification—as soon as they phished out customers’ payment information.

Photo Illustration by Sarah Rogers/The Daily Beast

Twitter has its work cut out when trying to police its sprawling social network: Porn bots, propaganda trolls, and neo-Nazis plague the site every day. But in a novel case, cybercriminals recently leveraged Twitter’s “promoted tweet” feature to push a website designed to steal, funnily enough, a bevy of Twitter users’ personal data.

“Jesus Christ, Twitter is promoting a phishing site that claims to offer Twitter verification and asks for your Twitter password, phone number, and credit card information,” Mike Wehner, trending news editor from BGR, tweeted Sunday, along with a selection of screenshots of the offending site.

Customers have long been able to  pay Twitter to promote certain posts, and increase how many people see them. Marketers typically use the feature to boost their advertisements, giving them a further reach.

Judging by Wehner’s screenshots, the phishing site first presented a convincing looking, but fake, Twitter page that explained the merits of having an account verified—or certified as genuine by Twitter’s internal apparatus.

“Being verified is more than a cool badge on your profile, it signifies authenticity and ensures the community that you are an official account,” the page reads.

After providing some basic information, the site then asks for a user’s credit-card number, expiration date, security code, and billing address—likely enough information for a cybercriminal to then use those payment details elsewhere.

The site now appears to be inactive, only showing a default web server screen, and without any of the phishing content itself.

This specific scam isn’t a new problem. Cybersecurity firm MalwareBytes covered a similar tweet and phishing attempt back in October 2016. As MalwareBytes pointed out at the time, that phishing site even had HTTPS-enabled—marked by a distinctive green padlock in a visitor’s web browser—meaning some victims may have mistakenly thought the site was legitimate. Today, however, as it has become much easier, and cheaper, to load a website with HTTPS, that padlock is no longer a good indicator of whether a website is genuine or not.

Back in 2015, notorious troll and white supremacist Andrew ‘weev’ Auernheimer used Twitter’s promoted-tweets feature to spread two messages. A day later, Twitter blocked one of the tweets, citing a ban on ads that deal with violence, hate content, and sensitive topics, The Guardian reported at the time.  

We don’t comment on individual accounts for privacy and security reasons,” a Twitter spokesperson told The Daily Beast in an email, concerning the latest phishing attempt.

Twitter has since suspended the account.