Massive Wave Of Twitter Phishing Spam Apparently Being Posted From HootSuite Users’ Accounts

Over the past hour or so there has been a massive wave of spam related to a ‘free Groupon of pure garcinia cambogia‘ rising on Twitter. The tweets are coming hot and heavy every few seconds and have targeted celebrity accounts like Jane Fonda, sports teams like the San Francisco Giants and even some TechCrunch writers. Updated below.

Many other users appear to be affected by the tweets, and they all appear to have originated with the HootSuite client. One possible explanation for this is that a repository of HootSuite users have had their accounts compromised by a malicious entity gaining access to a company server.

We reached out to HootSuite for comment and CEO Ryan Holmes said that they are “currently reviewing the spam incident” and will get back to us with a statement.

HootSuite had some spamming issues late last month. At the time, it said that it had seen “an increase in attempts by spammers to gain unauthorized access to social media accounts by exploiting password weaknesses,” but stated that it had not been hacked.  Instead, it said that it was “seeing attempts (some successful) to login to HootSuite using user IDs and passwords acquired from compromised social networks.”

At the moment we don’t know whether this is a similar case or not. One thing to note is that the URLs being posted do not use HootSuite’s standard ‘owl.ly’ shortner, which could indicate that they’re not coming from the company’s native platform.

Here’s what the tweets look like inline:

Screen Shot 2013-09-09 at 3.32.11 PM

And here’s a tweet by Jane Fonda showing the ‘via HootSuite’ label:

Screen Shot 2013-09-09 at 3.44.14 PM

The link in the tweets takes you to a modified link for Garcinia Cambogia that is clearly supposed to ape Groupon, a classic phishing tactic that the attackers hope will net either Groupon login details or more likely financial information when they go to order said supplement.

Screen Shot 2013-09-09 at 3.47.56 PM

At this point one culprit is a HootSuite hack of some sort, as user Sam Houston reports that he’s seeing the same message on both Twitter and Facebook. Both messages posted by the HootSuite client. Other users are saying that their LinkedIn accounts have been affected as well.

BTwXWHyCYAAT1yU.png-large

We’re working to assess how widespread the spam issue is and what the extent of the damage to HootSuite users, but for now you should exercise caution. If you ever think that any Twitter app is compromised, you should revoke its permissions in your Twitter settings area and do the same on Facebook and any other connected network.

H/t Our own Alex Wilhelm, who was also affected by the spam.

Updated: Twitter has now flagged that particular link with a spam warning when you click on it from the web:

Screen Shot 2013-09-09 at 16.48.50

Update: a statement from Hootsuite:

Today HootSuite continues to see attempts by spammers to gain unauthorized access to social media accounts by exploiting weak passwords. In the attempts made to date, HootSuite itself has not been compromised or hacked, however, a small number of successful attempts to log in to HootSuite were made using user IDs and passwords that were acquired elsewhere. Likely, people are using the same password for both HootSuite and the other social network or online service. When these types of attempts were first discovered on July 26, 2013, HootSuite’s customer support team armed customers with a best practices blog post to help educate users on how to create a more secure password. On August 20, we deployed numerous security measures to protect users, including Social Verification, and Location Verification. Today, less than .01% of HootSuite’s user base (approximately 7000 HootSuite users) were affected. In this case, the unauthorized users accessed HootSuite through a third-party application using OAuth. In response, we’ve temporarily disabled access to OAuth from the affected third-party online service, and will continue to deploy efforts to keep our users safe. We ask that customers who experience an unauthorized post to one of their social accounts to change their username and password on all their online accounts that use that same username and password. For those who may have been affected, please follow @HootSuite_Help for updates and review our best practices to ensure secure passwords have been created.