Crypto Scammers Abusing Twitter Cards via Redirects

by @edent | # # # | 1 comment | Read ~244 times.

Twitter has a problem with scam advertising. Rather than having humans manually check adverts for acceptability and authenticity, they let almost anyone promote anything.

Whatever meagre protections they build in are rapidly evaded by the scammers. Let's take a look at an example of a promoted crypto-scam about Singapore. I'd say it was obviously a fake, but Twitter says this story comes from CNBC...!

A spam advert on Twitter. The CNBC website is highlighted at the bottom.

Take a look at the bottom of the image - the CNBC domain name is there...

Diving into the source code of the ad, we can see that the link does not go to CNBC.

Scource code of the page. The link goes to a spam site.

In fact, it goes to a crappy WordPress rip-off site on a completely different domain.

What's going on?

Twitter has a product called Twitter Cards which lets developers embed data on their page. These data are used to display large images, videos, and other stuff on the Twitter site.

What's curious is that there are no meta-tags on that spam site to populate the Twitter Card.
So why does Twitter think the page is CNBC?

Using Twitter's Card Validator on that spam URl gives us this response:

Card validator showing the CNBC logo. At the bottom it says  "WARN: this card is redirected to cnbc.com."

When the spam site sees the Twitter Card Generator requesting the page, they redirect it to CNBC. Regular users are not redirected.

The Tweet was sent through the Twitter Ads Composer. Which, I guess, lets advertisers pick the image that they want to go with a link.

This is an obviously exploitable hole through which to spew disinformation.

Could this have been prevented?

The account "edayisagift" last Tweeted in 2017. It has a low follower count. I suspect it has been hijacked by spammers.

Should accounts like this be allowed to promote posts on Twitter? Is there a minimum quality threshold that should be met? Are there any ways to check adverts?

Even an automated check on common scam words, and recently reactivated accounts would help to prevent this sort of rubbish.

Perhaps they want to rely on crowdsourcing reports of bad behaviour?

The problem is, this spammy account has already been reported by reputable users - and nothing has been done about it!

Of course, crowdsourcing can also be gamed and manipulated. But this seems like such an obvious scam that I don't understand how it has been allowed to stand.

Recap

  • Spammers are abusing Twitter cards to lend legitimacy to fraudulent adverts.
  • Users report these scams.
  • Nothing happens.
  • Trust in the platform falls.

It is still going...

One thought on “Crypto Scammers Abusing Twitter Cards via Redirects

  1. Eric Andersen says:

    I modified your recap statement and extended it without loss of meaning:

    Exploiters are abusing Internet to lend legitimacy to fraudulent causes.
    Users report these scams.
    Nothing happens.
    Trust in Internet falls.

    I hate to be such a nay-sayer....

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.