I returned from my two weeks of paternity leave, logged in to my various online accounts and started to get myself back up to speed this Sunday evening. When I logged into my Twitter account I noticed an incongruously malevolent sounding message that had been sent to me anonymously:
The message is designed to use the classic FUD factor (Fear, Uncertainty and Doubt) to drive the recipients of this Spam to go and check out the TwitAnonymous site (or its sister site TwitterAnonimo in Portuguese) to find out which of their darkest secrets have been unearthed by this anonymous correspondent.
Given that Twitter is a platform which is designed to allow anyone to message anyone, and does not require any verification of identity at all, even an email address, quite what is to be gained from using any “anonymous tweeting service” is pretty much beyond me. So let’s see if we can work out what the platform is really all about.
The first and most obvious revenue generators are the familiar Google Ads down the left hand side of the TwitAnonymous page, standard fare there and no real surprise but could there be a more sinister purpose behind the site?
What makes me think the site isn’t what it appears at face value? Well firstly it uses offensive and/or malevolent sounding Spam for self promotion. Secondly the site owners appear to have registered the Twitter user accounts twitanonymous2 through to twitanonymous30 for sending their indiscriminate Spam. Thirdly, accounts 20 to 30 have all already been suspended by Twitter “due to strange activity“.
It isn’t a credential harvesting site, as it doesn’t request your username or password to send an anonymous message, which may lend it some more crebility to some eyes. It does though require that you complete a CAPTCHA in order to post messages. While it is of course possible that this could be to prevent abuse of the service, I would have to ask whether a site with such questionable practices is really bothered about abuse?
Could it be that the sole purpose behind this offensive Spam is to popularise a “service” designed to lure the unwary into cracking CAPTCHAs? After all, it wouldn’t be the first time, we saw similar recently on PayPal phishing, Koobface has also tried its hand at CAPTCHA cracking, and of course there is the (in)famous CAPTCHA strip tease.
So, whether this particular site is just an annoying “service” to facilitate things like stalking and cyber-bullying, or something more sinister remains to be seen. The fact remains though, a means of generating a large voluntary CAPTCHA cracking user base, without all that pesky distribution of malware or phishing mails must be a very attractive prospect for cybercriminals.