Twitter Spam: Compromised Accounts and Websites Lead to Diet Spam

Earlier this week, a large number of Twitter accounts were compromised and used by spammers to spread “miracle diet” spam. The compromised accounts included public figures, as well as average users of the social networking service.

Figure1_10.png
Figure 1. Twitter miracle diet spam

Déjà vu
Diet spam is quite common and can been found on various social networking sites and Twitter is no stranger to this problem. Over the years, we’ve seen many different campaigns try to capitalize on the latest miracle diet craze. In this particular case, spammers are trying to peddle garcinia cambogia extract through a page designed to look identical to the real Women’s Health website.

Figure2_6.png

Figure 2. Fake promotional page used by spammers in this campaign

Notable accounts compromised
In the latest spam campaign, accounts belonging to athletes, politicians, television producers, bloggers, comedians and other public figures were compromised, which helped extend the spammers reach exponentially to hundreds of thousands of followers.

Figure3_4.png
Figure 3. Compromised accounts of two public figures

Many of the tweets contained messages saying “I couldn’t believe it when I lost 6 lbs!” and “I was skeptical, but I really lost weight!” followed by a URL shortened using Bitly.com.

Celebrities and public figures are often sought after to help endorse products. One of the compromised accounts included Jamie Eason, known simply as the World’s Fittest Model. By compromising accounts like Jamie’s, spammers increase their odds of convincing someone to click on their links and perhaps even purchase the diet product.

While some of these notable figures simply removed the spam tweets, others were transparent enough to admit that their accounts were compromised:

Compromised websites
What makes this particular spam campaign stand out from others we’ve seen in the past is that the spammers have compromised a large number of websites that are being used to redirect people to their miracle diet promotional pages.

Figure4_5.png
Figure 4.  Compromised website running an unsupported version of Joomla

The compromised websites we found are running older versions of the content management system Joomla, specifically version 1.5, which stopped receiving support from the developers back in September 2012.

Figure5_2.png

Figure 5. Spam link reveals vulnerable Joomla extension

It would also appear that the spammers have targeted a vulnerability within the jNews Joomla extension. We have reached out to a number of the sites to inform them that they have been compromised.

Connection to Pinterest spam
Last week, TechCrunch published an article about spam on Pinterest. One of their co-editor’s accounts was compromised and used to pin weight loss photos. Based on our research, the image descriptions and compromised sites acting as redirects are like the ones used in the Twitter campaign, so we believe that both campaigns are connected to the same spammers.

Figure6_0.png
Figure 6. TechCrunch co-editor’s compromised Pinterest account

Conclusion
Diet spam is here to stay and social networks remain the perfect place for spammers to try to make money off of unsuspecting users. While it is still unclear how the spammers compromised these Twitter accounts, Symantec Security Response advises users to follow these steps to secure their accounts. For website owners, consider using the most recent version of your content management system, apply all security patches, update your extensions, and review the directory permissions on your Web servers.

We are continuing to monitor this campaign and have reached out to both Twitter and Bitly to provide assistance.