Chasing Twitter Malware

One of the best things that the Internet and especially social media have done is to make us a globalized world. Here in Connecticut I routinely chat with friends in Rome, Hong Kong and Sydney with a few mouse clicks. Speaking as someone who lives in a relatively small town, social media has also gone a long way to bringing local communities closer together online. What happens online for one business can affect the merchant’s neighbors and fellow businesses down the street. It can be a great way to organize community-oriented events online or to just stay connected.

This cuts both ways, though. Scams and phishing can take advantage of local community trust with unfortunate results. Case in point is Twitter malware.  Twitter junk malware tends to spread very quickly among trusted circles of friends and businesses, especially among people new to Twitter or social media.  It commonly works by clicking on a suspicious or bogus link (usually through a Twitter bot account).  The malware then takes control of your account and sends direct messages or sometimes mentions to your followers under your name, usually with a message.  Often it’s something that would be obvious to social media-savvy users like a mortgage refinance or winning a free cruise, but there are always accidental clicks and reflexive clicks.  A few months ago, my town’s online Twitter community had a bit of a domino effect with Twitter malware that I’d like to exhibit as a case study.

January 31

11:28 AM – A hacked local blog sends the malware to Client A along with several hundred other unfortunate recipients.

“Hey, so some real nasty things are being said about you hereI cant believe what was said..”

This is an effective trick for Twitter malware. More than a weight loss or mortgage refinancing link, people tend to have a kneejerk reaction when they assume their online reputation is being threatened, especially when it comes from a trusted source. I fell for the same ploy several months ago.

This also happened to be a rare instance where I didn’t have as much time to check my clients’ social media streams due to a series of appointments and conference calls and finally a webinar.

2:45 PM – Client A notices the malware and clicks on it, entering contact information on a form that I was never able to view. Client A then sends me an E-mail asking if it was just junk, followed by a follow-up confirming that it was junk.

3:00 PM – I get out of my webinar, see the E-mail, and shift into crisis management. I tell Client A to change their Twitter password immediately and send me the new one. I call the client and quickly go over what we’ll be doing, and I get the new password.

3:05 PM – The account password’s changed, but the malware already took effect. The same message and malware link have been sent to around 100 followers of Client A. I quickly alert everyone on Facebook and Twitter that the account has been hacked and to not click on a recent direct message link.

I quickly respond to a few inquiries on Twitter directly and begin purging Client A’s direct message inbox.

3:15 PM – Support and concerns from customers pour in through Facebook, Twitter, and E-mail – Client A even gets several phone calls asking if their Twitter account is okay. It’s heartening to see this, but on a practical level it means we can stop the malware from propagating itself by getting the word out.

3:23 PM – Client B E-mails me to say that they clicked the link, even though they were suspicious about its authenticity. I confirm that it’s malware and advise them to change their password. Thankfully we stopped the malware from taking effect for Client B.

3:25 PM – A fellow business in Client A’s industry has also unknowingly clicked the link. We apologize, tell them about the hack, and urge them to change their password as soon as they can. They do so and another potential infection is averted.

3:35 PM – Another local business that I don’t work with direct messages me through Client A saying they clicked the link, asking if it was spam. I again confirm that it was malware and let them know to change their password immediately.

3:47 PM – The non-client business thanks us for alerting them. It looks like they managed to change their password soon enough to block the malware from taking effect.

3:55 PM – A friend messages me directly on Twitter through my personal account – she’s a Twitter newbie and unknowingly clicked the malware virus after following Client A a week ago. Rinse and repeat the password change protocol.

4:05 PM – The blog that was hacked and set off the chain reaction touches base with me through Client A and apologizes to everyone. I message them through my personal account to ask if they remember the source, but it was an accidental click. Sources for Twitter malware can be very difficult to track.

4:15 PM – Three of my other clients received the direct message malware from Client A but I delete the messages before anything else can happen.

After doing a quick sweep of other accounts in the area and monitoring Clients A and B, it looks like we’re in the clear.

February 1

2:00 PM – Client C E-mails me and forwards a Twitter notification for a DM – yep, the malware’s back. This time a local business owner’s personal Twitter account got hit, but thankfully Client C knew not to click the link in the message. I alert the business owner through Twitter.

2:30 PM – Client D got the message from this second round of malware but thankfully I managed to alert him before he clicked the link.

February 2

9:00 AM – The business owner thanks me and messages his followers apologizing for the inconvenience, and that he has secured his Twitter account. It’s actually a relief that his personal account was infected instead of his business account, which has far more followers.

After E-mailing all of my clients again to make sure they knew about this I watched Twitter like a hawk for the next day or so for any signs of the dreaded message popping up. Thankfully that was the last of it.

So what’s to learn from all of this? First of all, be extremely careful if anything looks suspicious. Malware takes advantage of the relationships in social media to infect your account with whatever junk the virus is trying to spread. If you get an abrupt direct message on Twitter like the one that set off the chain reaction, message them back and check their profile page for

The good news is that your fans and customers will know something is wrong if you’ve spent time building your social media presence. Client A’s customers knew the business’s voice and it was gratifying to see that they immediately knew something was happening.  Be good to your customers and they’ll be good to you – especially when something like this happens.