14 DAY TRIAL // During the past week, there was a surge in compromised Twitter accounts spreading adult content, some of these belonging even to celebrities, such as musicians, actors, and famous athletes.
The hackers operate by taking over Twitter profiles, changing the user's avatar picture, and tweeting out links to adult websites or webcam sites.
All of the user's other details are left intact, including their past tweets and their password. In most cases, the hackers replace the user's image with the photo of a young woman in provocative poses or lingerie.
Hackers don't spam other users
The hackers don't spam other users by sending DMs or direct tweets, but only post a few links on the victim's profile and then start liking random tweets. Users who receive a like from these persons come investigating and discover the spammed profile.
All links posted on the hacked profiles use URL shorteners, mainly Bit.ly, and hide a link to adult websites using referral tags. If any curious users investigating the hacked account click the link and sign up for one of those services, the hacker earns a small sum for each of them. This amount generally varies between $1 and $5, depending on the referral network.
The campaign caught our eye and Symantec's too. The security firm says it detected over 2,500 of Twitter accounts hacked via this modus operandi.
Hackers compromised celebrity accounts
In some instances, the hackers managed to compromise even verified accounts belonging to celebrities, such as electrofunk band Chromeo, a The Telegraph reporter, stand-up comedian Azeem Banatwala, Houston Texans wide receiver Cecil Shorts III, and the late New York Times reporter David Carr.
Your reporter also noticed last week another hacked celebrity account belonging to famous jockey Ruby Walsh. Symantec did not include this account in its report, but the account followed the above-described methods. The crook took over the account, changed Walsh's avatar, tweeted out some lewd images, but left his password untouched, so the jockey was able to regain control of his Twitter profile.
Symantec reports that this campaign targeted old accounts that prior to being defaced looked to be abandoned by their owners.
Bearing in mind that some profiles belonged to active users, the crooks are most likely using passwords leaked in data breaches, which they test on other sites to see if their owners reused them on other sites. According to security firm ThreatMatrix, identity testing attacks that leverage breached data became extremely popular in Q1 2016.
