Cybercriminals can easily direct Twitter users to Scam sites using Misleading Links!

It’s become common knowledge now that Twitter tweets can be crafted in such a way that even though they seem to be linking to one sight, they include content from a totally different one and this issue has been exploited by bad actors as well for phishing, scamming and infecting target devices with malware.

How this issue works is that when a link is embedded in a tweet, Twitter looks for special meta tags in the HTML source by sending a bot to the linked page. Upon finding the appropriate tags, Twitter creates Twitter Cards (rich media block containing additional content from the page).

Of course, this approach can be used by bad actors to their advantage in a way that Twitter cards contain the data from another page.

The problem identified by Terence Eden was that when a linked page monitors to Twitter Card Generator’s user agent of “Twitter/1.0”, the bot would be directed to another page if the user agent is identified, and would show normal content otherwise.

Upon being redirected, the Twitter Card Generator would utilize the metadata found on the new page to generate the Twitter card. Although the card’s source would seem to be the redirected site, it would still link to the originally posted link.

Eden discovered it through a tweet that was a cryptocurrency scam, even though the card showed a CNBC story.

spoofing twitter cards is too easy

The reason why this issue hasn’t been resolved yet could be that this approach was designed to help out individuals and companies with single brand and multiple domain names or companies that use proxy to gather statistical data.


Still, it can’t be argued that people with ill-intentions can cause severe damage using this approach. Cybercriminals can create a website and include Twitter meta tags that point to an authentic source and host various threats.

To test this theory, BleepingComputer created a proof-of-concept page identical to Dropbox’s login panel. Using the appropriate metadata, tweeting a link to the demo page showed surprising results.

Upon being clicked, the card redirects users to a page on the testers’ site. The page which looks just like a Dropbox login is actually a completely different one. In the example, you can notice some loopholes such as the URL in address bar and other elements but these things can be taken care of easily by cybercriminals.

There are other examples that show how the proof of concept functions on Twitter with more effective fooling content.

The concerning part is that there is no easy way to figure out if the card is a hoax, since the link doesn’t appear in the tweet except for when it is embedded.

Twitter has yet to comment on this issue or if there would be a resolution in the near future.

Read next: Twitter is experimenting with Icons on Profiles instead of Labels, Making Conversation Easier and Fun
Previous Post Next Post