Warning - do not click on Twitter ads

@edentbadvertising spam twitter · 2 comments · 850 words · read ~3,434 times.

It seems that Twitter has lost control of its advertising system. This blog post will show you why it is dangerous to click on any Twitter advertising.

Twitter ads have always been a bit crap, but I've seen a recent influx in outright scams. Let me step you through a couple of examples.

Twitter advert saying The Rock has done something scandalous.

A typical click-bait headline. What has our favourite celeb done this time?

In a moment of weakness, let's click through...

A website designed to look like The Mirror - a popular UK newspaper.

Straight away we can see that the branding on the site has been set up to mirror a popular news website.

The article encourages people to register for a trading platform.

The "article" is a poorly disguised get-rich-quick scheme. Spoiler Alert! You will not get rich quick - you will get poor rapidly.

Picture of Richard Branson, encouraging people to deposit £250.

This is the sort of advert which shouldn't get through a manual review. I'd argue that even automated tooling should be able to spot spam, scams, and frauds like this. But Twitter is completely asleep at the wheel here.

How do I know? Let's look at who promoted the ad. Usually these scams are pushed by dormant account, or by freshly created accounts. In this case, it is promoted by an ordinary user. And, it appears that they are entirely blameless - this advert did not originate with them.

User replies to their own Tweet saying that they did not post the advert.

The user claims they didn't post this. Someone has hijacked their account - probably by weak password reuse - and started spewing spam.

Why don't people spot this?

Twitter promoted posts don't have to show up on your timeline. Apple, for example, sends out lots of adverts like this:

But if you take a look at twitter.com/apple - it looks like they haven't ever tweeted!

@Apple hasn't Tweeted When they do, their Tweets will show up here.

If your account has been hijacked by a spammer, you won't know about it.

No tweet will show up on your timeline, and your followers won't be able to alert you. You cannot search for posts which have been promoted by you. The only way you'll find out if your account has been compromised is if people start replying to the advert.

Twitter user replying to his own advert - desperately trying to remove it.

As far as I can tell, a regular user can't delete a promoted Tweet from within Twitter. They have to use the Twitter Ad Platform. There is no way a normal user would know to do that.

It goes on

If you click the replies on promoted tweets, you'll regularly see similar comments. Users claiming to have been hacked, and being unable to remove the offending tweet.

Twitter has a problem with deceptive adverts - as I wrote earlier this year "Crypto Scammers Abusing Twitter Cards via Redirects".

You may think a promoted post is going to a site like CNN - but it could redirect you to a malicious site. For example, this promoted Tweet features Elon Musk and looks like it goes to CNN.com

A promoted Tweet. It looks like it goes to CNN.

If you're daft enough to click on it, you go to this page. A reasonably convincing clone of CNN. Full of stuff about how you can't lose money. Even has fake comments at the end, to give it legitimacy. But, you'll notice, it isn't a CNN domain. What's going on?

A fake interview with Elon Musk - talking about a Quantum AI stock market system.

Twitter generates preview "cards" for web addresses. In this case, we can use the Twitter Card Validator to see that the website sends Twitter to CNN - but the user is redirected elsewhere.

A card validator screen. It shows a redirect to CNN.

In short - Twitter's advertising system is designed in such a way as to mislead the user about where their click will take them.

What can Twitter do to fix this?

Twitter could manually review adverts. Or make sure that the person promoting the tweet owns the domain they're linking to. Or require 2FA before allowing users to buy adverts. Or they could notify users that their account is being used for advertising. Or any one of a dozen ideas I'm sure the gang at Twitter could come up with during a lunch break.

Or they could respond to users who ask them for help.

There are so many blatantly deceptive adverts on Twitter, that I can only conclude that generating revenue is more important than protecting their users. That's an unsustainable situation.

What can you do to stay safe?

When you click on a promoted Tweet, you have no way of knowing whether it was willingly sent by the user. You have no way of knowing where on the web that link will take you.

I urge you not to click on any Twitter adverts.

2 thoughts on “Warning - do not click on Twitter ads”

2020-05-26 08:34

Zeb Baer said on twitter.com:

There are many of these on Facebook as well. They remove them if notified but they are making money so no incentive to search and destroy. Funny but I don’t get so many on Twitter (no doubt my twitter feed is too high-rent for your scammers!)

Reply | Reply to original comment on twitter.com

2021-01-03 22:42

nick said on twitter.com:

Wow. Eye opening - I think a lot of people also see the ‘padlock icon’ as something that defines a ‘safe’ website rather than secure.