Following media reports that Twitter has restricted URLs in direct messages, spammers found a way around this restriction this weekend in order to push diet pill spam links.
Figure 1. A direct message sends users to the tweet containing the spam link
We first noticed this when someone we follow on Twitter, who has never followed us before, started following us. Shortly after receiving the notification that we had a new follower, we received a direct message from the user.
Figure 2. A malicious link sent to a Twitter user through direct message
Unlike the usual Twitter spam, the link found in the message had directed us back to Twitter. It was a link specifically to a tweet, which the user had posted on their account.
The link found within the tweet, led to a common type of diet pill spam, which had been found on various social networks over the years.
Figure 3. Clicking on the links directs users to a diet spam Web page
By searching for the keywords “I recommend site” on Twitter, we found hundreds of Twitter users who tweeted similar links. This means their accounts had also been compromised and many of their followers received direct messages similar to ours.
Figure 4. Users’ tweets containing diet pill spam links
Upon further investigation, we discovered that Twitter is currently blocking links to URL shortening services, such as bit.ly and TinyURL. When we attempted to send the links from these services to friends through a direct message, we received an error message.
Figure 5. Twitter support article notes changes being made to direct messages
Twitter may be blocking these links in direct messages because spammers typically mask their spam domain links through these shortening services. A note found on a Twitter help center article states that back-end restructuring efforts may prevent some URLs from being sent. Despite this issue, spammers have found a workaround to continue their efforts.
If you or someone you know sent out a spam link through a tweet or direct message, Symantec recommends that you follow these steps to ensure that your account is no longer compromised.