Twitter continues to approve malicious ads that, in at least one case, masqueraded as an offer from Twitter itself to help users get their accounts verified.

The ads led users to a website that asked for account information such as their email address and Twitter password, in addition to requesting details about the user’s online payment accounts.

“These are nothing less than phishing attempts designed to steal users’ credentials as well as their financial information,” Jérôme Segura, the lead malware intelligence analyst for Malwarebytes, told BuzzFeed News. “The harvested data is typically resold in bulk on various darkweb marketplaces.”

When combined with the email address and other information collected in the form, the payment details could be used to break into a user’s online payment accounts.

Segura said this type of phishing attack has been running on Twitter “for years,” and frequently exploits the platform’s Promoted Tweets advertising product. A similar scheme was identified early last year. Twitter’s Promoted Tweets product enables a user to take a tweet from their account and turn it into an ad that can appear in other people’s timelines.

This attack could be also used to target specific users in order to gain access to their Twitter account, as well as related online accounts, according to Segura.

“Because promoted tweets can be configured to be displayed for a particular audience, they could in theory be used for more targeted phishing campaigns as well,” Segura said.

Twitter’s advertising policies are already under scrutiny after it acknowledged late last year…

[SOURCE]