Tweeterfast, Tweeterfollow, Twtkingz — The never-ending Twitter scam…

December 15 2009 by Teksquisite in Malware, Security |6 Comments

I’ve been following the Tweeterfollow musical domain saga since late September 2009. The theme never changes. I’ve also written about their scam/phishing/twitter account hijackings here.

Yesterday the Tweeterfollow (AKA: TF) domain push on Twitter was via Twtxtreme.info (currently disabled) using short url services tinyURL and retwt.me. Today it looks like TF is promoting twtkingz.info via retwt.me and kiwi.url. TF consistently uses IP: 124.217.246.188 but because TF switches domains frequently, they have not been blacklisted.

The web login page is always the same:

gui

Description: A place to add more followers for your twitter page. This is a twitter adder site

Keywords: get more twitter followers, tweet, twitter network,twitter train, get more followers on twitter, twitter, tweeter, tweeteradder, tweeterfollow, deadlyx, rawhood, hoodzone, followers, train, vip, tweet

Logged in to the TF Web GUI

Once you are logged in to their website you will automatically follow all VIP members. Then you click on Twitter profile random images [graphics from a3.twimg.com] to follow regular users [SIC].

follow-users

Once you have clicked on all 20 default regular users profiles, the pop-up below appears:

train

Click on the OK button and 20 new profiles will reappear. You can click all day long and into the night and you will still get the congratulatory pop-up each time you click the 20th profile.

You are also encouraged to purchase a VIP membership using PayPal or a credit card. The account that TF is currently using at PayPal is registered to ryann.johnson2009@gmail.com.

no-refunds

Ability to view protected tweets

Using http://isfollow.com/ I wanted to see if the locked accounts that I randomly followed through the TF API were following me. The accounts listed below were not following me but I was able to view their PROTECTED TWEETS!

afrheyy
aliamutia
ibaddbxtch
IamHoodBarbie
ohannaweb

hoodbarbie

Since the above account is not following my test account I should not have been able to view IamHoodBarbies protected twitter stream. Obviously these Twitter profiles are all compromised accounts. A simple change of password is probably not the band-aid that should be used.

The Twitter filter managed to nab the “100 followers” string and filtered these tweets from the test account Twitter stream. The test account is also not currently accruing a steady stream of profiles from Twtkingz[TOX]info API like it was yesterday. During the past six hours the test account has only followed one protected account via the TF API. The test account is still able to view protected tweets of accounts that are not following the test account.

Shot9

Who is behind all this?

With all the emphasis on botnets, security breaches, and malware; In comparison, Tweeterfollow appears harmless. Is it?

deadlyisgreat

otherdomains

Domain ID:D30737265-LRMS
Domain Name: TWTKINGZ.INFO
Created On:10-Dec-2009 15:10:50 UTC

Last Updated On:10-Dec-2009 15:10:59 UT

There is something big going down on Twitter

logintoanysite

Any website hosted at Piradius.net in Kuala Lumpur, Malaysia should immediately raise a red flag.

Update: 12-15-09 8:13 pm EDT

Update: 12-16-09

Update: 12-17-09

Update: 12-22-09

Test account data:

December 18:
5 tweets Total

Timing:
2 tweets @8:08 pm from API
1 tweet @9:54 pm from API
1 tweet @9:55 pm from API
1 tweet @10:25 pm from API

URL Breakdown:
3 tweets to twtfollow[TOX] info via ohurl.com
1 tweet to twtfollow[TOX] info via retwt.me
1 tweet = “This site just gave me 100 followers using” no URL

December 19:
9 tweets Total

Timing:
1 tweet   @6:09 am from API
1 tweet   @8:33 am from API
1 tweet   @2:10 pm from API
1 tweet   @4:34 pm from API
4 tweets @7:09 pm from API
1 tweet   @10:10 pm from API

URL Breakdown:
1 tweet to youtube.com [generic]
1 tweet to twtspeedy[TOX] info [via retwt.me]
2 tweets to twtfollow[TOX] info [via Safe.mn = flagged as a "Dangerous website: Phishing/Malicious Content"]
2 tweets to twtspeedy[TOX] info [via TinyUrl]
1 tweet to twtfollow[TOX] info [kiwiurl.com]
1 tweet to twtfollow[TOX] info [via shorten.ws]
1 tweet to twtfollow[TOX] info [via snipr.com]

December 20:
15 tweets Total

Timing:
1 tweet   @12:34 am from API
1 tweet   @1:10 am from API
1 tweet   @6:11 am from API
1 tweet   @7:12 am from API
1 tweet   @8:34 am from API
2 tweets @1:31 pm from API
2 tweets @1:32 pm from API
1 tweet   @1:33 pm from API
1 tweet   @2:11 pm from API
1 tweet   @6:36 pm from API
1 tweet   @7:29 pm from API
1 tweet   @7:33 pm from API
1 tweet   @10:12 pm from API

URL Breakdown is getting spammy, so for the sake of brevity – here goes:
The shorl you requested has been disabled due to abuse. We’re sorry for the inconvenience.
lu.mu disabled
kiwiurl.com disabled
nvg8.it disabled
twtfollows {TOX] Info still online
twtlimit {TOX] Inf still online
retwt.me = .twtspeedy[TOX] info

December 21:
26 tweets Total

Currently pushing the following Toxic URLs:

twtfollows[TOX] info
twtlimit[TOX] info
twtspeedy[TOX] info

Stay Safe Online!

Tags: fraud, identity theft, phishing, scam, tweeterfollow, twitter

6 Comments

At 2009.12.21 18:27, Alexis Kauffmann said:

Another one for your collection… http://www.twtspeedyDOTinfo

[Reply]
- At 2009.12.21 23:58, Teksquisite said:
  
  Thanks!
  
  [Reply]
At 2010.02.27 21:42, Joseph Slabaugh said:

So you are some internet vigilante?

[Reply]
At 2010.03.01 21:34, Teksquisite said:

Perhaps!

[Reply]
At 2010.03.02 00:31, Joseph Slabaugh said:

please contact me, I have some info for you.

[Reply]
At 2010.03.31 12:59, Live said:

It looks like the site is down again… I wonder what happened?!

[Reply]

Tekblog

Tackling Technology One Byte At A Time!