We Heart It attack spills out into Twitter diet spam tidalwave

Twitter and We Heart ItDiet spammers are not just exploiting AOL accounts to spread their unwanted adverts for miracle weight loss products, they have been flooding Twitter too.

And, this time, the spammers have had more than a little unwitting help from the image-based social network We Heart It.

So, what was the spam attack and how did it involve both Twitter and We Heart It?

Well, you may well have seen online friends unexpectedly tweeting a message like the following in the last day or so:

Diet spam tweet

If I didn't try this my life wouldn't have changed [LINK]

If you made the mistake of clicking on the link, believing your friend had experienced a life-changing event, you would be taken to a fake Women's Health magazine website, pushing Garcinia Cambogia "miracle diet" pills.

Fake Women's Health website

Look familiar?

It should do if you're a regular reader as we have detailed similar bogus sites in the past promoting miraculous diets with the help of celebrities such as Dr Oz, sometimes even pretending to be BBC News sites.

And, on past occasions, we have also seen users who visited the links from Android devices be taken to malware too. So there is a serious risk here.

However, this time there's a different twist.

Because, it transpires, many of the Twitter users sending the spammy tweets are also members of the We Heart It social network and the tweets themselves were being sent - as Dan Goodin at Ars Technica reported - "via weheartit.com".

In other words, We Heart It users can connect their accounts with their Twitter accounts, to share their "hearted" messages with their friends. It's a bit like sharing your favourite Pinterest pins I imagine.

But, and it's a big but, what happens if your We Heart It account gets compromised in some way, and it begins to "heart" links which point to a webpage designed to promote Garcinia Cambogia "miracle diet" pills? Then you've got spammy messages appearing on Twitter.

And what happens if *many* We Heart It users suffer the same problem with their accounts? Then you have a massive amount of spam appearing on Twitter.

Thankfully, the team at We Heart It realised they had a problem, and that the problem was becoming a problem for Twitter users too. They tweeted that they were disabling sign-in and sharing via Twitter.

Tweet from WeHeartIt

And later they posted a blog article, expressing their "regret" about the "Twitter account issues".

WeHeartIt expresses regrets

In our ever-connected online world, cyber attacks have become one of the unfortunate realities. Today, We Heart It’s technical team discovered that we were one of several applications impacted by a hacker using connected Twitter accounts to send out falsified Tweets. This attack was reported to have begun several days ago in Australia.

Earlier today, as a precautionary measure we temporarily disabled access to We Heart It via Twitter accounts while we investigated the incident. This access has now been restored.

It appears that only a small fraction of We Heart It’s users were impacted by the “spam” hack and at this time, we have no indication that any of our users’ personal information was compromised as a result of this attack.

We sincerely regret that this incident occurred. We are working diligently, internally as well as with Twitter, to investigate the root cause and will provide further updates as more information becomes available.

By the way, have you noticed how companies aren't prepared to actually apologise and say "sorry" anymore? Anything which even hints at a cock-up is dressed up in dull terms like "account issues" with a half-mumbled "regret", rather than a genuine "Sorry, we messed up".

I imagine it's paranoid legal teams making that call rather than marketing folks who might be more attuned to the notion that if you treat users with respect and show some heart, they might love you a little bit more and gain greater loyalty even if you did goof.

I, for one, look forward to hearing more from We Heart It about what precisely went wrong.

We Heart It says it has now resolve the issue, and that it hasn't seen any evidence that users' personal data was exfiltrated during the exercise.

However, there certainly wouldn't be any harm - in my opinion - if you changed your We Heart It password at the very least, and ensured that it wasn't the same as any other password you might use on the internet.

(Visited 232 times, 1 visits today)

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

One Response

  1. AngieJ

    April 27, 2014 at 7:50 pm #

    This spam impacts in numerous ways > hack > malware > navigation route via fake article with untrue celebrity endorsements that bypasses any company web terms and conditions – if you find terms they are unfair and no proactive acceptance of terms required by user – high amounts of money taken from bank accounts of those who sign up for the 'trial'. It's been going on for a couple of years based on 'ketone spam' research. It's the same illegal spam approach, just rename of product.. All the UK Banks and consumer protection bodies are aware, their resources overwhelmed by consumer complaints.

Leave a Reply