Twitter has its work cut out when trying to police its sprawling social network: Porn bots, propaganda trolls, and neo-Nazis plague the site every day. But in a novel case, cybercriminals recently leveraged Twitter’s “promoted tweet” feature to push a website designed to steal, funnily enough, a bevy of Twitter users’ personal data.
“Jesus Christ, Twitter is promoting a phishing site that claims to offer Twitter verification and asks for your Twitter password, phone number, and credit card information,” Mike Wehner, trending news editor from BGR, tweeted Sunday, along with a selection of screenshots of the offending site.
Customers have long been able to pay Twitter to promote certain posts, and increase how many people see them. Marketers typically use the feature to boost their advertisements, giving them a further reach.
Judging by Wehner’s screenshots, the phishing site first presented a convincing looking, but fake, Twitter page that explained the merits of having an account verified—or certified as genuine by Twitter’s internal apparatus.
“Being verified is more than a cool badge on your profile, it signifies authenticity and ensures the community that you are an official account,” the page reads.
After providing some basic information, the site then asks for a user’s credit-card number, expiration date, security code, and billing address—likely enough information for a cybercriminal to then use those payment details elsewhere.
The site now appears to be inactive, only showing a default web server screen, and without any of the phishing content itself.