Background: Compromised Twitter accounts are currently tweeting about new miracle diet pills. These tweets include links pointing to appspot.com, which redirects users to sites masquerading as the real Women's Health magazine. These sites use standard templates that include celebrity testimonials in order to promote a diet pill known as Garcinia Cambogia Extract. So how did these accounts get compromised in the first place?
It starts with a tweet from someone you follow. They will say something about a rumor or a nasty post going around about you. This narrative is designed to entice the user into clicking on the included link (Origin URL) to find out more.
| Tweets |
|---|
| "OMG Awful Posts Going around about you, have you seen this yet?" |
| "Awful Posts Going around about you, have you seen this yet?" |
| "Horrible Posts Going around about you, have you seen this yet?" |
| "Nasty Posts Going around about you, have you seen this yet?" |
| "WTF Horrible Tweets Going around about you, have you seen this yet?" |
Following a redirect (Redirect URL) they are led to the destination page, which is a phishing URL masquerading as Twitter. Each of these sites are hosted on appspot.com.
| Origin URLs | Redirect URLs | Phishing URLs |
|---|---|---|
| funniestweetts.appspot.com | sessionredirect.appspot.com | loginuathsession.appspot.com |
| loltweetts.appspot.com | sessionredirect.appspot.com | loginuathsession.appspot.com |
| lmfaotwetts.appspot.com | sessionredirect.appspot.com | loginuathsession.appspot.com |
Despite using an outdated Twitter logo, this phishing site is designed to convince you that you were logged out for security purposes. Once the recepient submits his or her username and password, it is shipped off to the phisher.
| URL | Description |
|---|---|
| e-card-view.0fees.us/secured.php | Username and password are submitted through the form to this site. |
| twlitter-file-not-found.appspot.com | Fake error page. |
With these usernames and passwords, these compromised accounts are then used to phish for more credentials as well as promote miracle diet pills.
| Tweet | URL | Landing Page |
|---|---|---|
| "New Miracle Diet Pill, Burn Belly Fat Fast While Removing Harmful Toxins" | healthymagnews.appspot.com | news29online.com |
| "New Miracle Diet Pill, Burn Belly Fat Fast While Removing Harmful Toxins" | maghealthnews.appspot.com | news29online.com |
| "New Miracle Diet Pill, Burn Belly Fat Fast While Removing Harmful Toxins" | locallivenews.appspot.com | news29online.com |
| "New Miracle Diet Pill, Burn Belly Fat Fast While Removing Harmful Toxins" | healthnewslive.appspot.com | news29online.com |
| "New Miracle Diet Pill, Burn Belly Fat Fast!" | mszvlst1.appspot.com | garciniaxnews.com |
| "New Miracle Diet Pill, Burn Belly Fat Fast!" | mszvlst2.appspot.com | garciniaxnews.com |
Through affiliate programs, the phisher will earn a commission on each sale of Garcinia Cambogia Extract pills.