It seems that Twitter has lost control of its advertising system. This blog post will show you why it is dangerous to click on any Twitter advertising.

Twitter ads have always been a bit crap, but I’ve seen a recent influx in outright scams. Let me step you through a couple of examples.

A typical click-bait headline. What has our favourite celeb done this time?

In a moment of weakness, let’s click through…

Straight away we can see that the branding on the site has been set up to mirror a popular news website.

The “article” is a poorly disguised get-rich-quick scheme. Spoiler Alert! You will not get rich quick – you will get poor rapidly.

This is the sort of advert which shouldn’t get through a manual review. I’d argue that even automated tooling should be able to spot spam, scams, and frauds like this. But Twitter is completely asleep at the wheel here.

How do I know? Let’s look at who promoted the ad. Usually these scams are pushed by dormant account, or by freshly created accounts. In this case, it is promoted by an ordinary user. And, it appears that they are entirely blameless – this advert did not originate with them.

The user claims they didn’t post this. Someone has hijacked their account – probably by weak password reuse – and started spewing spam.

Why don’t people spot this?

Twitter promoted posts don’t have to show up on your timeline. Apple, for example, sends out lots of adverts like this:

Join us September 12 at 10 a.m. PDT to watch the #AppleEvent live on Twitter. Tap ❤️ below and we’ll send you updates on event day. pic.twitter.com/i9mGHTKhvu — Apple (@Apple) September 10, 2018

But if you take a look at twitter.com/apple – it looks like they haven’t ever tweeted!

If your account has been hijacked by a spammer, you won’t know about it.

No tweet will show up on your timeline, and your followers won’t be able to alert you. You cannot search for posts which have been promoted by you. The only way you’ll find out if your account has been compromised is if people start replying to the advert.

As far as I can tell, a regular user can’t delete a promoted Tweet from within Twitter. They have to use the Twitter Ad Platform. There is no way a normal user would know to do that.

It goes on

If you click the replies on promoted tweets, you’ll regularly see similar comments. Users claiming to have been hacked, and being unable to remove the offending tweet.

Twitter has a problem with deceptive adverts – as I wrote earlier this year “Crypto Scammers Abusing Twitter Cards via Redirects“.

You may think a promoted post is going to a site like CNN – but it could redirect you to a malicious site. For example, this promoted Tweet features Elon Musk and looks like it goes to CNN.com

If you’re daft enough to click on it, you go to this page. A reasonably convincing clone of CNN. Full of stuff about how you can’t lose money. Even has fake comments at the end, to give it legitimacy. But, you’ll notice, it isn’t a CNN domain. What’s going on?

Twitter generates preview “cards” for web addresses. In this case, we can use the Twitter Card Validator to see that the website sends Twitter to CNN – but the user is redirected elsewhere.

In short – Twitter’s advertising system is designed in such a way as to mislead the user about where their click will take them.

What can Twitter do to fix this?

Twitter could manually review adverts. Or make sure that the person promoting the tweet owns the domain they’re linking to. Or require 2FA before allowing users to buy adverts. Or they could notify users that their account is being used for advertising. Or any one of a dozen ideas I’m sure the gang at Twitter could come up with during a lunch break.

Or they could respond to users who ask them for help.

@TwitterSupport PLEASE DO SOMETHING ABOUT THIS SPAM! I cannot report it, delete it and a bunch of them keep popping up under my name that I did not post. It caused my computer to crash! Here is one of the linkshttps://t.co/YKRCNxrvvM — Devin Nunes' Jackass (@Fishblogger) May 25, 2019

There are so many blatantly deceptive adverts on Twitter, that I can only conclude that generating revenue is more important than protecting their users. That’s an unsustainable situation.

What can you do to stay safe?

When you click on a promoted Tweet, you have no way of knowing whether it was willingly sent by the user. You have no way of knowing where on the web that link will take you.

I urge you not to click on any Twitter adverts.