A spam attack that has affected instant messaging users has found its way through Twitter, infiltrating users accounts to post messages with links connecting to weight-loss drugs.

Hacked Twitter accounts are being used to post messages that promote weight-loss drugs. The messages vary in the stated text, but generally states the same message and are all followed by a link that leads to websites where the drugs are being sold. Searches through Twitter for “$5 acai” yields the posts of users whose accounts were hacked.

The spammers even utilized TinyURL–a free URL redirection service that is used to turn long URLs into shorter ones. The service has been frequently used by Twitter users as it lets them use more of the 140 character limit for messages instead of links. This makes the spam posts even more convincing, making the message not much different from any other post, not to mention masking the actual spam URL with the one provided by TinyURL.

Worldometers states that there currently more than 1 billion overweight adults, with at least 300 million of them clinically obese. With such a huge number of concerned users as potential targets, a lure such as weight-loss drugs has good chances to become a hit.

Formerly known as Ecount, Citi Prepaid Services is a prepaid solution for companies who aim for a customizable solution for payroll, sales incentives, benefit payments, etc. Recently we have encountered a phishing email, informing Citi Prepaid Services customers/clients that their account information needs to be updated due to inactive membership, purported causing fraud and report spoofing due to the account’s inactivity.

Below is a screenshot of the phishing email:	In the email users are instructed to click on the embedded link which, in fact, leads to the phishing website:

Once customers/clients entered their account credentials believing that this is real, phishers can now take hold of the information and may use it however they wish.

Citi Prepaid Services actually offers Zero Liability Protection which protects users from this very attack. It means that users are not to be held responsible for any fraudulent activity regarding their account. But since the Zero Liability Protection is a feature limited to Citi Prepaid Service, victims of a similar attack on a different service may not be as lucky, and end up losing their hard-earned money.

The phishing URL is now blocked by the Trend Micro Smart Protection Network.