We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

For Sale: Thousands of Hacked Twitter Accounts

Russian cybercriminal forums offer batches of 1,000 Twitter accounts for less than $200.

Hacked Twitter accounts are selling briskly on Russian cybercriminal forums, with fraud artists and spammers paying between $100 and $200 for batches of 1,000 accounts, depending on number of followers the accounts have, according to a Russian security researcher.

In many cases the buyers are conducting a lucrative trade by hawking phony antivirus products via tweets sent through these accounts. “The technique of stealing account credentials and posting malicious links on Twitter is more and more popular,” and has surged in the past two months, says Costin Raiu, director of the global research and analysis group for the Moscow-based antivirus company Kaspersky Lab. “Cybercriminals are recognizing that social networking sites can be abused very efficiently for their needs.”

Even one successful hacked tweet from the account of a trusted user can have serious repercussions, especially if the bogus tweet is “retweeted” by followers to still more people. Typically, between 10 percent and 20 percent of people will click a link sent by a trusted source.

The illicit Twitter trade is being conducted on Russian-language, members-only cybercriminal forums, Raiu says. No aggregate numbers of stolen accounts are available. But based on the fact that accounts are offered in batches of 1,000, it’s reasonable to conclude that tens of thousands or more accounts might be for sale worldwide, Raiu says. Twitter has more than 75 million members, of which about 10 million to 15 million send out tweets regularly.

In one common scam, clicking the link of a hacked tweet infects the recipient’s computer with advertisements for a phony antivirus product. The infection produces a pop-up notice that announces an infection and offers the “full version” of the antivirus solution for $50 or more. One in 100 people likely end up paying for this, Raiu estimates, roughly a 50 to 1 return on investment.

The Twitter scam is built on the theft of login credentials through long-established tricks including password-stealing viruses, called Trojans, and through spam e-mails that trick recipients into entering their credentials into a fake version of Twitter.com. Once access to an account is obtained, the hacker probably gets only a few shots at sending a fake tweet before the owner notices and changes his credentials.

Tweet scam A message sent through a compromised Twitter account by a hacker (highlighted in red). The message includes a link that leads to malware.

Twitter advises that users who see unauthorized tweets issued under their name should change their password immediately (if it hasn’t been changed by the hacker) and to revoke access for any unrecognized third-party application. It also offers advice for safe tweeting on its forums. The company did not immediately reply to a question about the Russian black market or the number of compromised accounts.

The discovery by Kaspersky Lab comes one month after reports surfaced that Facebook was facing similar problems. Verisign’s iDefense Labs said it had found a website peddling 1.5 million compromised Facebook accounts, offering them for $25 per 1,000 accounts with 10 friends or less, and $45 per 1,000 accounts that have more than 10 friends.

The hacking of Twitter accounts represents a change in strategy by Twitter scam artists. Earlier this year, the trend among spammers was to create Twitter accounts from scratch, try to gain as many followers as possible, then attempt to sell them, with prices listed on Russian cybercriminal forums of between $500 and $1,000.

But this strategy found few customers, and proved difficult to maintain. Twitter fought back by blocking accounts that gathered followers too quickly–a sign that a spammer was behind the account. Scammers next built automated programs to slowly build up followers and post realistic-looking tweets copied from other Twitter users.

“It was a lot of work for them,” Raiu says. “Probably the cybercriminals discovered earlier this year that it’s easier to steal logins to people’s Twitter accounts than create them from scratch.”

AI is here.
Own what happens next at EmTech Digital 2019.

Register now
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.