Scammers on the social media platform X (formerly known as Twitter) have escalated their tactics by exploiting global crises to deceive users into clicking on fake content.
Recent reports reveal that these bad actors are leveraging the ongoing war in Ukraine and earthquake warnings in Japan to entice unsuspecting users into visiting fraudulent websites, which ultimately lead to adult sites, malicious browser extensions, and shady affiliate marketing pages.
The Evolution of the Bot Problem on X
X has long struggled with a bot problem, with spammers and scammers continuously finding new ways to exploit the platform. However, recent developments indicate that these schemes have become more sophisticated, now targeting users with content that appears to be relevant and urgent.
For months, X has been inundated with posts that seemingly link to pornographic videos. However, upon clicking, users are redirected to fake adult sites—a classic bait-and-switch tactic. But the scammers have not stopped there.
New Tactics: Exploiting the Ukraine War and Japanese Earthquake Warnings
As tracked by Vigilant X users, including “Slava Bonkus” and “Cyber TM,” scammers have recently begun to diversify their bait, using sensational news stories to lure users. Posts have been circulating that purport to contain breaking news about Ukrainian forces invading the Russian city of Kursk or critical warnings about an impending earthquake in Japan’s Nankai Trough. These posts, designed to evoke a sense of urgency and fear, have successfully tricked many users into engaging with the content.
For example, one fake tweet about the Nankai Trough earthquake reads: “Emergency information on the Nankai Trough mega-earthquake: What should we be careful of from now on? It’s all summarized in this article. Please read it carefully and plan your schedule.”
The language used is designed to mimic the tone of genuine emergency communications, adding a layer of credibility to the scam.
The Mechanics Behind the Scam
Unlike the traditional bait-and-switch that redirects users to fake pornographic sites, these new posts feature what appear to be legitimate content warnings from X. However, these warnings are, in fact, just images embedded in the posts. When users click on these images, they are redirected to a URL at the app.link domain. From there, users are taken through a series of websites before landing on a scam site.
The final destination of these redirects varies. While many users end up on adult sites, others may find themselves on sites that attempt to install malicious browser extensions or push tech support scams. Some sites are part of affiliate marketing scams designed to generate revenue for the scammers at the expense of the victims.
How Scammers Avoid Detection on X
One of the reasons these scams are so effective is the way they manipulate X’s content display system, specifically the use of Twitter Cards. Twitter Cards are a feature that allows users to attach rich media—such as photos, videos, and summaries—to their tweets, thereby enhancing the visual appeal and click-through rate of the content.
When a post containing a URL is first created, X automatically reads the content at that URL to generate a preview, or “card,” that appears alongside the tweet. This preview includes an image, description, and other metadata that make the post appear legitimate.
However, scammers have found a way to exploit this system. When the app.link site detects that the connection is coming from X, it does not redirect the user to the scam site. Instead, it serves up a harmless HTML page containing the necessary Twitter Card metadata. This trick fools X into displaying the fake content warning image as if it were a genuine part of the post. Once the post is live, and users click on the image, the redirect sequence begins, leading them to the scam site.
The Impact and Response
The use of global crises as bait in these scams is particularly insidious, as it preys on users’ fears and concerns. By presenting what appears to be urgent and relevant information, scammers increase the likelihood that users will click on the links, thus falling into their trap. The consequences can range from exposure to explicit content to the installation of harmful software on their devices.
X has been working to combat these scams, but the ever-evolving tactics of scammers present a significant challenge. The platform relies on automated systems to detect and remove malicious content, but as scammers find new ways to evade detection, the effectiveness of these systems is put to the test.
Staying Safe on X
As users navigate X, it’s crucial to remain vigilant. Always double-check the legitimacy of content, especially when it appears to be linked to breaking news or emergency alerts. Avoid clicking on links from unfamiliar sources, and be cautious of posts that seem too sensational to be true. By staying informed and exercising caution, users can protect themselves from falling victim to these increasingly sophisticated scams.
In the meantime, X will need to continue refining its detection and prevention mechanisms to stay ahead of the scammers who continue to find new ways to exploit the platform and its users.
