Hackers Are Taking Over Twitter Accounts to Advertise Face Masks

Hackers have taken over a wave of Twitter accounts to aggressively advertise a website that claims to be selling face masks and toilet paper during the coronavirus pandemic.

The news highlights the sorts of unusual steps those trying to make a profit during the pandemic are taking. Accounts posted hundreds of tweets linking to the website over the last few hours.

"Wearing mask make you away from COVID-19," one tweet in broken English from a hacked account reads, which then includes a tweet to a website called "Masks 2 U."

Todd Feathers, a writer who covers artificial intelligence and surveillance for Motherboard, confirmed hackers targeted his account to post the message.

"According to Twitter, my account was last accessed by a computer in Virginia, about 40 minutes before I logged on and realized what was happening," he said in a Twitter direct message.

From there, as well as posting a tweet advertising the masks website, whoever was in control of Feathers' account sent direct messages to a high number of his followers with a link to the site as well, Feathers said.

"They sent DMs to what looks like all (or at least a lot) of my followers with a link to masksfast [.] us and some variation of the message: 'Masks save lives.'," Feathers said.

Searching for the site on Twitter reveals a heavy stream of other accounts posting the link on Tuesday. Some of these accounts also appear to have been hacked—the accounts themselves were created years ago and posted relatively normal content before the masks site tweet.

"I didn't post this!" one person tweeted after their account posted a link to the masks site. Hackers may have compromised the accounts earlier rather than hacking them simply for posting this specific link.

The barebones website itself claims to sell face masks, respirators, digital thermometers, and toilet roll. It is unclear if it is purely a scam designed to take money without delivering a product, or whether the site actually has access to the products.

Whoever controls the site created it on Monday, according to online records. Feathers said he received an email from Twitter saying someone had accessed his account from Virginia just before his account posted the link to the masks website. The hackers may have been using a computer based in Virginia but are themselves located elsewhere, however.

Motherboard found other near identical masks websites hosted on the same IP address as the site mentioned by the hacked accounts. Some of these sites were created a few days earlier.

Twitter told Motherboard the company had acted against a number of accounts and URLs around this recent activity, and pointed to its policy banning malicious use of bots and inauthentic accounts.

"Currently, our team is not seeing large-scale coordinated platform manipulation surrounding the Covid-19 conversation. As is standard, we will remove any pockets of smaller coordinated attempts to distort or inorganically influence the conversation. Additionally, we’re continuing to review and require the removal of Tweets that do not follow the Twitter Rules—half of which we catch before they’re ever reported to us. If people see anything suspicious on our service, please report it to us. This is an evolving global conversation and we will remain vigilant," a Twitter spokesperson wrote in an emailed statement.

Subscribe to our cybersecurity podcast, CYBER.