Capable of bypassing account limits

Jul 5, 2010 08:12 GMT  ·  By

A kit for spamming Twitter users is being sold on Russian underground forums for as little as $20. According to security researchers, the tool has several interesting looking features and is capable of bypassing the account limits imposed by Twitter.

Judging by the ever increasing amount of spam Twitter users deal with on a daily basis, the micro-blogging website is a very profitable platform for malware distributors, affiliate marketers and other cybercrooks. The kit was spotted by Trend Micro experts and is simply called "Twitter Kit".

According to the researchers at Trend Micro, the tool can be used to send messages to thousands of users via socks5 proxies. This feature can be used to evade Twitter's automatic spam filters and enhance black hat search engine optimization (BHSEO) campaigns.

Just last week we reported on such a BHSEO attack adapted for Twitter. Rogue accounts were posting links followed by popular keywords in order to make their tweets discoverable via Twitter Search. The scheme was pushing a computer backdoor and the spam messages were also localized for Arabic.

Another functionality worth mentioning is breaking Twitter's account limits. These are restrictions normally imposed by the micro-blogging for users in order to avoid service abuse. The current limits are 250 Direct Messages (DM) per day, 150 API requests per hour, 1,000 tweets per day, 1,000 new followers daily and following 2,000 new accounts per day (even though some of these figures are further restricted on a per hour interval or based on other criteria). The tool also gives spammers the ability to search through other people's followers lists and automatically send those people Follow invites.

The Trend Micro researchers believe the kit is meant to be used to promote links to adult websites. "[...] The tool is actually offered as a bonus for a purchase of 10,000 adult content followers," Maxim Goncharov, advanced threats researcher, at Trend notes. "But then the kit is priced at only US$20, which means that it could be used by many other cybercriminals for several malicious purposes," he adds.

You can follow the editor on Twitter @lconstantin