We’ve seen “get Twitter followers” scams in the past, but a recent one stood out for a very good reason: it actually delivers what it promises—and then some.
This scam tries to attract potential victims by using tweets with the phrase “GET MORE F0LL0WERS” and a URL that is apparently from Google. (In this particular case, Google is just used as a redirector to the scammer’s site.) It also uses Twitter’s Discover feature and trending topics to boost its visibility. It also uses tweets that mention random Twitter users.
Figure 1. Sample tweets promoting the site
When users click the link in the post, they will be redirected to a “get free followers” site. The site offers two options—a free and a premium service. The free option requires users to authorize a Twitter app named “LAAY PAAY” created by the scammers; this will grant them access to the user’s Twitter account. After the user is returned to the scam site from the app authorization process, the site will show a “processing” page. The user will gain random Twitter followers, including those with private accounts.
The premium service boasts new followers per minute, no ads, and instant activation. This service costs five euros and can be paid via PayPal.
Figure 2. Choice between the free or premium service
What’s the catch? Yes, they get new followers, but these followers are other users who signed up for this service as well. By agreeing to the service, their accounts will also be used to follow other accounts as well.
In addition, spam tweets will also be sent from the victim’s Twitter account. Even paying five euros will not stop these spam tweets. Note that to get more followers you have to log in repeatedly (otherwise you drop off the “list”), repeating the whole cycle.
Figure 3. Service confirmation page
Gaining access to Twitter accounts and sending spam tweets is not the only goal of the scammers here. They also load various advertising-laden affiliate sites in the background, in order to gain pageviews and thus, revenue for the owners of the ads.
We’ve seen 35 separate domains in this attack, all of which lead to an IP address hosted in the United States. The US also accounts for almost 70% of this site’s visitors, based on Smart Protection Network feedback. Other countries in the top 5 include Turkey, New Zealand, Britain, and the Philippines.
Users are encouraged to avoid clicking links on social media posts unless the source can be verified. Users should also avoid giving access to their social media accounts unless the sites are established and well-known. Lastly, they should always remember that “free” services often aren’t. They may ask for something in exchange, be it information or access to accounts.
Trend Micro blocks all URLs related to this scam. Twitter has suspended some accounts that were involved in this attack, and spammed tweets have also been removed.