'Your online timer' survey scam spreading rapidly on Twitter, warns Sophos

Sucheta Dalal 15 Mar 2011

Once the application, 'Your online timer' is approved, users are taken to a website which claims it will find out the time spent to date on Twitter—and the page pops up a survey which earns the scammers money for each questionnaire completed

Moneylife Digital Team

IT security & data protection firm, Sophos, has warned Twitter users to be cautious, following the discovery of new rogue applications designed to help scammers earn money by spreading links that point to online surveys.

Following attacks this weekend, which saw users spreading messages about a girl who killed herself and how addicted they were to Twitter, new messages are appearing on Twitter on Tuesday claiming to count how long users have been members of the social networking website, Sophos said in a release.

"Viral scams like these are commonly encountered on Facebook, but are now being spread by their creators onto Twitter too. It's possible that the people behind these attacks view Twitter users as a softer target, which might generate them more income," said Graham Cluley, senior technology consultant at Sophos.

According to Sophos, these offending tweets contain a variation on the following text, with the amount of time shown differing between users:

"I have spent 379 days, 9096 hours on Twitter. How much have you? Find out here: [LINK]"

The messages, posted by an application called "Your Online Timer", include a link, which-if clicked on by other Twitter users-will encourage them to authorise "Your Online Timer" to access and update their Twitter accounts. If the application is approved, users will be taken to a website, which claims it will find out the time spent to date on Twitter-and the page pops up a survey which earns the scammers money for each questionnaire completed. In addition, without explicit approval, the Twitter account of the victim is updated with a status update-spreading the link virally to other Twitter users.

"Social networks have a responsibility to protect their users from scams and spam-but ultimately it's down to the user to think very carefully before handing over the keys to their social network account to a complete unknown application," said Mr Cluley.

Affected users should revoke the application's access to their Twitter account immediately. This can be done by entering 'Settings-Connections' and revoking the rights to the relevant application.

"If the application's access to your account is not revoked, the scammers could use it to spread other messages-potentially including links to malicious websites, phishing or other spam campaigns. The last thing you want is for your Twitter followers to believe that you are being sloppy over your account's security, and potentially putting them at risk too," added Mr Cluley, who was voted as 'security blogger of the year' in 2009 and 2010 by readers of Computer Weekly.