Twitter DM spam/malware

Published: 2013-09-30
Last Updated: 2013-10-01 12:55:35 UTC
by Adrien de Beaupre (Version: 1)
7 comment(s)

There has been a recent spat of Twitter accounts sending Direct Messages (DM) to others that are either spam or link to malware through shortened URLs. In some cases the accounts sending the DM may have been compromised through weak passwords, a malware infestation on the user's computer, or a third party application not playing nice. Rumours of Twitter having been hacked are also being passed around, I haven't seen any evidence either way. If you have been a victim of your Twitter account tweeting or sending DM without your approval let us know through our contact us page, or comments below. If you have a DM from someone that appears to be spam or has a suspicious link in it please do pass it along.

Let's be careful out there!

Adrien de Beaupré Inc.
My SANS Teaching Schedule

Keywords: dm malware spam twitter
7 comment(s)


I received a DM from a twitter account with the following link:

I never clicked on it though, so I don't know where it goes.
Received two different DM's over the last few days. Here are the links, neither of which were clicked.

I've had a total of 5 @DM messages from 3 other Twitter users since 9/24. All go to links that are inactive. The most recent one was this morning. My youngest son's account sent a link, by the time he reported it to me, Twitter had already removed the link and taken the message out of my Twitter feed. I still had a copy on my mobile. Most likely hack in his case was a weak password. Account was largely unused.
I had my twitter account tampered with recently. I was apparently sending out DM's for one of those work-at-home scams. Not sure how they got in, but I changed my password and have been fine since. It's quite sad that twitter has no mechanism to prevent foreign IP's from logging into your account.
Here's the link I got via DM from a friend who the next day noting his account had been compromised some how:
So far I've only received one. I had a chat with the user and we're neither of us sure how the compromise occurred. The link redirects to something that is supposed to resemble a news article and is clearly templatized somehow. By visiting it from different IPs the final page was customized for geolocation.
I received the following three links from two people I personally know via Twitter:

Diary Archives