Hijacked Twitter accounts used to advertise face masks

As of Tuesday, hijacked Twitter accounts were spewing out hundreds of tweets hawking a dodgy looking face mask/toilet paper/digital forehead thermometer online store, according to Motherboard’s Vice.

When Vice’s Joseph Cox searched for the masks site on Tuesday, he found what he called a “heavy stream” of other accounts that posted a link to the site. Some at least appeared to have been hijacked, given that they were created years ago and posted what Cox called “relatively normal content” before tweeting out the link to the masks site.

As of Wednesday afternoon, two Twitter accounts were still advertising masksfast[.]us. One of the accounts, created in April 2012, had zero followers and had only ever created one post: the ad for masks that it posted on Tuesday. Another account advertising the (potentially scammy) site hadn’t previously posted anything since July 2019, has only retweeted and has never posted original content, all of which gives off the aroma of a bot network and/or having been hacked away from their rightful account owners.

I reported both accounts to Twitter.

Vice knows for sure that one of the accounts pumping out mask advertising was hijacked, given that the account belonged to one of its own: Motherboard’s Todd Feathers. On Tuesday, the journalist confirmed on Twitter that his account had been hijacked and used to send out direct messages, purportedly about face masks.

Vice found another hijacked account that posted tweets to a website called “Masks 2 U” and which included this message in broken English:

Wearing mask make you away from COVID-19

Motherboard’s Feathers told Vice that about 40 minutes before he logged into Twitter and realized that his account had been hacked, the platform had informed him that his account was last accessed by a computer in Virginia. That doesn’t mean much: whoever took over his account could have been located anywhere.

After the hijacker had control of Feathers’s account, they used it to send a tweet advertising the masks website. They also sent a link to the site, via DM, to a load of his followers, Feathers said.

They sent DMs to what looks like all (or at least a lot) of my followers with a link to masksfast [.] us and some variation of the message: ‘Masks save lives.’

As Cox notes, it’s not clear whether the barebones site is actually selling the products it lists or if it’s just a scam. I, for one, certainly wouldn’t hand over my credit card, given a number of oddities, including that a) clicking on its multiple social media logos merely sends you round-robin, returning you to the site’s home page, and b) the site refers to toilet paper as “paper towels,” which suggests that its creators aren’t fluent with the American English terminology for the quotidian product that’s grown so scarce, or with its British rendition (“toilet paper” or “toilet roll.”)

At any rate, as Cox reports, the records for the site show that it was created on Monday. Motherboard also found other, near-identical masks websites hosted on the same IP address as the site mentioned by the hacked accounts, some of which had been created just a few days earlier.

The timing of this coronavirus-related cyber assault jibes with what’s happening all over the internet. Over the past week or so, thousands of COVID-19 scam and malware sites have been pumped out on a daily basis. Cyber crooks have been going online to put up coronavirus scam sites or to sell counterfeit surgical masks; fake self-testing kits for HIV and glucose monitoring; and/or bogus antiviral meds, chloroquine (that’s fish-tank cleaner to me and you, and regardless of what you might have heard, please don’t take it – at least one man has already died), Vitamin C or other food supplements.

Law enforcement agents have been trying to mop it all up: on Friday, the state of New York let it be known to domain registrars that it’s high time they cracked down on this health-threatening trend by making it tougher to register a domain that’s likely to be selling snake oil, inflicting malware or setting up whatever other trap the crooks have been rushing to put into place.

Europol on Saturday announced that a global operation to target trafficking in counterfeit medicines – named Operation Pangea – has resulted in the seizure of nearly 34,000 counterfeit surgical masks.

Involving 90 countries worldwide, the operation took place between 3 and 10 March and led to the seizure of €13 million (USD $14m, £11.9m) worth of potentially dangerous drugs. Law enforcement officers also coordinated by Interpol took down about 2,500 links to websites, social media, online marketplaces, and ads. Police also arrested 121 COVID-19 scam suspects and took down 37 organized crime groups.

Europol says that the operation, which is ongoing, revealed a “worrying increase” in unauthorized antiviral medications and the antimalarial chloroquine.

In short, the hijacked Twitter accounts being used to hype face mask sites are yet another wrinkle in what the World Health Organization (WHO) has dubbed the Infodemic – a virtual plague of misinformation and fraud that it’s fighting right alongside the viral pandemic.

Twitter reacts

Twitter told Motherboard that it had taken action against a number of accounts and URLs around the suspicious activity. The platform pointed to its policy banning malicious use of bots and inauthentic accounts. Its statement:

Currently, our team is not seeing large-scale coordinated platform manipulation surrounding the Covid-19 conversation. As is standard, we will remove any pockets of smaller coordinated attempts to distort or inorganically influence the conversation. Additionally, we’re continuing to review and require the removal of Tweets that do not follow the Twitter Rules – half of which we catch before they’re ever reported to us. If people see anything suspicious on our service, please report it to us. This is an evolving global conversation and we will remain vigilant.


Latest Naked Security podcast

go top