Evil Twitter Tweets

It’s a jungle out there. I always say that in my Photoshop Madness column. But when I mentioned it on FaceBook, Jeff Fisher and several others didn’t seem to believe it. Then I get this flaming email about warning people! So I stalked a stalker from Twitter just to prove … it’s a jungle out there

QUESTION FROM READER   Why do I say “it’s a jungle out there”?
QUESTION FROM READER  
Why do I warn of stalker links and other evils on web pages?

Here’s the REST of the story

I’ve always said “surf with care” … and in Photoshop Madness, I always warn you about stalker links and so forth.

So, one day, I get this email from a highly disgruntled reader (possibly one of those tweet jerks I wrote about) who flamed me royally for always warning readers about stalker links and the denizens of the web in my articles. I appreciate feedback, but I don’t appreciate it when it flames me, and calls me a liar. Anyone who knows anything about the web knows that my assertions of caution are well grounded in truth, proven again and again. But this writer wants me to cease calling attention to bad tweets, misleading links, and dishonest behavior on the web. Well folks, when it stops, I will stop talking about it.

I won’t publish his post here — but what I will do is provide you, and him, with an example of what I’m talking about. If you don’t care to be warned about such low-lifes, then don’t read this article, move along. If you’ve got some time to kill, you can run this exercise for yourself.

Trapped in Twitter Hell

Evil twitter tweets, links and users

The keywords are always there — enticing and compelling: amazing, inspirational, free, downloads, brushes, actions, templates and lots more to wet your appetite for something awesome or something of real value for free. Twitter is perfect for the “bait and switch” technique that in other media would be totally frowned upon, or illegal. The tweet says: “200 amazing free Photoshop brushes” but you click to find only a web of links that give you nothing but gives the site owner lots of juicy views and clicks. It’s like the grocery store ad that reads: “Fresh, organically grown Chicken, now just $1” and you get to the grocery store to find the product at $6.95. The guy says “sold out.” How many did they price at $1? One, maybe? They baited you, then switched. You’ve been had.

For my demonstration I opened the Photoshop 911 Twitter account, scrolled down and picked the first link that looks promising. I had seen the 200 actions and all the others tweeted ad nauseam — many of the Photoshop tweeters tweet the same links over and over. But there appeared one I hadn’t seen before:

Artistic Edges – Rons Collection Photoshop Brushes

Okay, that sounds really great … let’s go:

stupid tweeters who don't look where they're tweeting

So I clicked. I was immediately taken to a page that looks like this:

Photoshop links go to stalker sites

So, where’s the content? The header is there, you can see that — but it looks like nothing else but advertising links. So I look more carefully — yes, there’s the link — it says “Photoshop Brushes”

reveals pop-up ads and stalker links

In this diagram screen capture you’ll see the obvious link for the aforementioned downloads. Hovering over that link reveals the ‘ad’ pop-up — which, as you can see has nothing to do with Photoshop Brushes what so ever. Clicking the link, WITHOUT the hover pop-up took us here: click for screen of arrival.. The site just got paid for my click – to ‘tooth brushes’ not Photoshop brushes.

But there’s more… notice how this crook cleverly set up the “actual” link as plain text – no hyperlink. Sure, he wanted you to click the ad link. (Is this illegal? No. Is this dishonest? I think so.) Now, I see the actual link — copy it and paste it into a new browser window. Here’s where the fun begins.

The Anatomy of a Spam Site

In a 1996 WebDesign survey, of thousands of users who filled out the form, a 95% majority called “screen spam” their most hated thing about the web — meaning “links or graphics advertising or revenue generators that have nothing to do with the content.” Maybe people have become numb to screen spam… but not me!

What a lot of people aren’t immediately aware of is how some sites do nothing but spam. You can always tell when the ratio of spam rises greater than the ratio of actual content. Let me show you what’s REALLY in this web page.
Click to view a thumbnail screen capture of the true web file. (Click here for a full size screen capture, but beware, it’s 7,773 pixels deep. Roughly 13 pages.)

By reading the code on this page, you see the owner is not interested in content at all. The single mission of this web page is to get you to click on a link, or do something that will generate revenue. That’s the site’s only purpose — to make money.

The reason I provide the above two links to the code is to validate the fact that in order to read the actual content of the page you were looking for — which was equal to 155 characters or 19 words:

> Artistic Edges - Rons Collection Photoshop Brushes

> See the rest here:

> http://www.downturk.info/

> 85332-artistic-edges-rons-collection-photoshop

> -brushes.html

… you downloaded 23,511 characters; 3,198 words, spread over more than 400 lines of text. That’s how much junk there was on the page in order to deliver 155 characters. That’s a content-to-junk ratio of less than 1% (one percent content to junk ratio! 50% is acceptable. 49% or less is spam.)

Trail of hazzard links

Evil Twitter Links and TweetsWhere’s the Content ??? Well, we haven’t gotten there yet. If you look into that code however, you’ll find all kinds of other ways this crook is trying to hook you into sending him money for nothing. It is amazing how much time and effort went into deceiving you.

Throughout the code we find all sorts of stalker codes, hidden behind the scenes. Like Chitika code for the word “mortgage”

Chitika writes in a hidden html comment:

“You will NOT be able to see the ad on your site! This unit is hidden on your page, and will only display to your search engine traffic (from US and CA). To preview, paste the code up on your site, then add #chitikatest=mortgage to the end of your URL in your browser’s address bar. Example: www.yourwebsite.com#chitikatest=mortgage. This will show you what the ad would look like to a user who is interested in “mortgages.”

So, let me ask how many of you out there are interested in “mortgages” who will navigate to this page based on a Twitter recommendation from a very frequent tweeter promising “Artistic Edges”?

Now, ask yourself, why this person tweeted this 66 times on Twitter? To me, the answer is fairly obvious. Yet, I have no idea if the two are connected, but we do know the singular purpose of these links is to scoop in unwary surfers looking for the content and not getting it. Is this illegal? No. Is it dishonest, YES.

Show us the Content ???

Okay. Let’s say you really want these Photoshop edges. The spam-grinder isn’t finished with you yet. We copy the text link in the previous page and paste it into the browser and it, goes through several other pages, eventually landing us here:

But, where’s the content?? Oh! There it is in very small type, overshadowed by more and more advertising. But there’s no link.


Scrolling down the page brings us to the actual ad. Ahhhh, we’ve arrived — so we think. There’s the ad, with image, some tiny samples and a blinking “DOWNLOAD” button — which does nothing but point to these three links. Choose one. (They all do basically the same thing) I chose “Extabit” which brings me to the page in this screen capture. We think now we can download it, and click on “download” … but we’re whisked off to this screen, surrounded by ads, again stalling the download.

We dutifully fill in the captcha, and click “accept” and immediately go to this page (click for screen capture) — with yet another “Download” link — and now we think we’ve hit the holy grail. Unfortunately NOT. We’re immediately taken to an online gambling site (screen capture) with a very small “download” link at the top. Are we there yet? YES! Clicking the link initiates the download.

Ron_artistic_edges.rar
from : http://guest101.extrabit.com
Stuffit Expander File

So what’s the bottom line? Keep reading . . .

Bottom Line: Twitter Traps disguised as “Photoshop”

By this point, I know I’ve been had. Did you keep count of how many pages and clicks we went through? We were unable to calculate how much revenue we generated for the various players in this game, but it’s more than just a few. Are they all somehow related? No idea. But we do know that stalker links all along the way were sending referral pings to other various sites, and recording our actions. A quick Google Search on the actual file reveals that the actual file was only posted 12 hours ago — about two hours before this tweeter began tweeting these tweets. (There is no guessing how many re-tweets it got, all from over-zealous Twitter tweeters.)

Now, for a real wake-up call, this Google search will illustrate how many people have replicated THAT file across the internet! So, here’s Today’s Search. Can you believe that??? From three to hundreds?

Ask a few questions

I continued searches for about an hour and failed to reveal any other mention of who “Ron” is, or where the file may have originated. However I did gather some interesting information about how a Twitter user can be lead down a trail that does nothing but produce someone else revenue.

NOTE
The domains in the trail after Twitter are outside the U.S.
NOTE
Download links are in Amsterdam, Netherlands, at three IP blocks known for spam and malware.
NOTE
“Download Turk” is in Cyprus with forged Whois info.
NOTE
Download domains use WhoisGuard “spam” domains, a known spam / malware trick to evade detection
NOTE
The “Bit.ly” link in the tweet went to a site in Delhi, India.
NOTE
All of the pages and links encountered in this exercise follow patterns documented as similar to those used by cybercrime, stalking and phishing entities. This tweeter, or who ever is behind this sad trail went to great measures to avoid detection or identification.

Who do you follow on Twitter?

Can we draw some connection between this sordid trail of abuse and the person who kept tweeting this again and again? I don’t know. There’s no clue as to who is, where he’s at, or why he’s tweeting so much about Photoshop. Maybe he’s just an over-zealous fan.
NOTE
He has 1,849 followers, and he follows 85
NOTE
he has tweeted more than 7,096 tweets
NOTE
He has tweeted 80 links in the past 12 hours. (one every 9 minutes)
NOTE
One link was tweeted 19 times, and another 24 times in that period – which leads me to believe they are somehow connected to him, or a revenue source for him. Why else would you tweet so many times in so short of period of time? What did you do 80 times in the last 12 hours?

I checked a few of the other links in his feed, and they went along the same scenario, other than an occasional link to CreativePro, Smashing or some other valid address. Yet, NONE of the links went to the original author’s site. ALL went to some site replicating the same links to other sites.

I’ve run out of time. But you get the picture. If this particular episode is truly innocent, then fine. But what worries me is all those 1,700 followers are re-tweeting the same links. This particular link does eventually get you the file. But only after some considerable time and effort — while all the time, you don’t have a clue whether or not the file is any good, or if it’s just malware to plant a worm or zombie on your computer.

I would provide the file here for you and save you the trouble, however: the file “Ron_artistic_edges.rar” contains a .exe file that won’t load on the Mac. So if I cannot proof it, then I’m not going to provide it for download. For all I know it’s carrying a worm — this scenario is characteristic of Botnet worm purveyors. The folder also contains a link and an ad for templates4share dot com located in Saarbrcken, Deutschland (188.165.122.0) where every single download follows the above twists and turns to renegade download sites. Some end up on Pharma-spam pages rather than online gambling. So I’m immediately suspicious of connections between this file provider and cybercrime.

Be careful what you click -- beware of malware and phishing sites

Ladies and gentlemen, please do us all a favor:
NOTE DO NOT TWEET unless you KNOW what you are tweeting, and
NOTE DO NOT CLICK on images, links or perceived downloads until you
NOTE LOOK at the status bar and understand where the link will take you.
In the course of writing this article we encountered more than a dozen other heavy tweeters in the Photoshop genre which follow the SAME pattern.

Like always say: it’s a jungle out there!

Thanks for reading

Fred Showker

Don’t forget … we encourage you to share your discoveries about favorite or famous graphic designers and illustrators with other readers. Just comment below, join the forums for discussion, or give me a tweet at Twitter/DTG_Magazine


Here are just a few of the evil goings-on behind the scene of tweeting, and, just a few more things to watch out for in the online jungle:


Warning: Evil Tweets

Evil Twitter Marketing Techniques

Classic (And Evil) Twitter Spam

How to increase Twitter Followers… the evil way!

State of Twitter Spam

Here Comes Twitter Spam And How To Fight It (techcrunch.com)

Twitter Spam: 3 Ways Scammers are Filling Twitter With Junk

Get Paid To Tweet? (Twitter)

Can You Get Paid to Tweet?