News broke this week that an account posing as PayPal used a paid promotion on Twitter to bait users into sharing their personal information under the guise that they were entering an end-of-year contest, The Next Web reported this week.
TNW reporter Matthew Hughes first reported the since-deleted promoted tweet from @PaypalChristm, which he said populated in his timeline. The tweet had several obvious signs of being a scam, which Hughes noted included not only its shady unverified account “with fewer than 100 followers,” but also a sketchy-ass promotional image seemingly designed to insinuate that a car and iPhone were up for grabs. A link included in the tweet reportedly led to a page that appeared similar to that of PayPal’s login page, and requested users input their personal information and credit card details.
Experts Comments below:
Corin Imai, senior security advisor at DomainTools:
“The fact that this phishing scam was taken down so swiftly by Twitter is encouraging, but the promotion by the social network in the first place points to a larger problem where phishing is concerned – that it is not always clear what is a legitimate link and what is not. Phishers here have taken advantage of the opportunities for paid promotion, as phishers across the Internet have done in order to cloak their scams in a mask if respectability by association with big tech companies such as Twitter and Google. Internet users should not take these paid promotions as an indication of legitimacy, and should exercise caution with all links.”
Javvad Malik, security advocate at AlienVault:
“Many companies like Twitter or Facebook will automate the advertising purchasing process for speed and convenience. However, it illustrates the fact that automation can be used against you if not implemented correctly. Currently, not everything can, or should be automated, especially in times where misinformation and scams are daily threats for social media companies. It’s not too dissimilar to how security operations centres (SOCs) that are responsible for monitoring and responding to security threats can automate some parts easily, but need manual intervention in other parts so as to not have the automation used against them.”