Twitter has been hit by a wave of spam promising “pure garcinia cambogia” – a vegetable extract used in weight loss supplements. High-profile accounts such as Jane Fonda’s fell victim, with attackers compromising Hootsuite accounts to gain entry.
Twitter has been hit by a wave of spam promising “pure garcinia cambogia” – a vegetable extract often used in weight loss supplements.
The link – promising a “free Groupon of garcinia cambogia” spread on both Twitter and Facebook, and was spread via celebrity accounts such as Jane Fonda’s, according to TechCrunch. Other users reported seeing the same message on Facebook, which led to the attack being traced to Hootsuite – a “social media dashboard” which allows users to post to both.
The link led to a bogus Groupon page, offering a deal on the herbal supplement. The URL was modified to look similar to a “real” Groupon page. TechCrunch said it was, “a classic phishing tactic that the attackers hope will net either Groupon login details or more likely financial information when they go to order said supplement.”
Twitter quickly added a warning of unsafe content to the link on its web version.
Hootsuite said in a statement, “Today, less than .01% of HootSuite’s user base (approximately 7000 HootSuite users) were affected. In this case, the unauthorized users accessed HootSuite through a third-party application using OAuth.”
Hootsuite said that “Hootsuite itself has not been compromised or hacked,” but that people had logged in to Hootsuite using user IDs and passwords acquired elsewhere.
Hootsuite said, “Likely, people are using the same password for both HootSuite and the other social network or online service,” and directed customers towards a best practices blog, “to help educate users on how to create a more secure password.”
“In response, we’ve temporarily disabled access to OAuth from the affected third-party online service, and will continue to deploy efforts to keep our users safe. We ask that customers who experience an unauthorized post to one of their social accounts to change their username and password on all their online accounts that use that same username and password.”