An account posing as PayPal used a paid promotion on Twitter to bait users into sharing their personal information under the guise that they were entering an end-of-year contest, The Next Web reported this week.
TNW reporter Matthew Hughes first reported the since-deleted promoted tweet from @PaypalChristm. The tweet had several obvious signs of being a scam, which included not only its shady unverified account “with fewer than 100 followers,” but also a sketchy-ass promotional image seemingly designed to insinuate that a car and iPhone were up for grabs. A link included in the tweet reportedly led to a page that appeared similar to that of PayPal’s login page, and requested users input their personal information and credit card details.
Expert Comments below:
Paul Bischoff, Privacy Advocate at Comparitech:
“The scam was up for about 30 minutes before it was taken down and the account suspended, but this is most likely due to users flagging it, not because of any automated detection measures on Twitter’s side. Twitter clearly did not properly vet the ad before it was posted.
It’s not clear how this slipped through the cracks, but Twitter certainly needs to step up its filtering efforts either by using more advanced detection or training humans to manually evaluate ads before they’re posted.
There’s not much PayPal can do about such a situation. Anyone can copy logos and a website to create a phishing page, and PayPal is one of the most frequently used fronts for phishing scams. Phishing pages can be identified by checking the site URL. The scam link was not HTTPS encrypted and did not use PayPal’s real domain.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.