I was reviewing the logs over at our WASC Distributed Open Proxy Honeypot Project and I noticed some interesting traffic. It looks as though Spammers are using the Twitter API to post their messages to their fake accounts. While the news of Spammers doing this is not new, the WASC honeypots are able to take a different vantage point and correlate account data.
Here is one example Spam posting transaction:
Notice the Authorization request header as the Twitter API requires basic authentication. The decoded user credentials are (format is username:password):
Now, looking at this one transaction in isolation doesn't yield much interesting data. What is interesting, however, is that I then did a search for all transactions to Twitter's API for June 21, 2010 and I found many more transactions all from different client IP addresses. I extracted out all of the unique Authorization headers and decoded them:
Notice anything interesting? They all have the exact same password. Since the password isn't one of the typical dictionary ones where it may be possible to have some users actually use the same password, we can only conclude that all of the accounts are controlled by the same person(s).
Recommendation for web sites
When new accounts are being created, check the new password against some form of hash tracking list to see how many users have that same password. If the password is widely used, then it can either be denied or placed on some form of fraud watch list.
If you check out the twitter pages of these fake accounts, you will see that they all have profile pictures of women (even though some of the account names seem male). This may be an attempt to try and disarm readers and entice them to click on the job/tool related links.
I checked out one of the links. The first URL shortener resolved to a second URL shortener and then onto the final site - DoNanza
$ wget http://proj.li/d62dIW--2010-06-21 14:18:45-- http://proj.li/d62dIWResolving proj.li... 188.8.131.52Connecting to proj.li|184.108.40.206|:80... connected.HTTP request sent, awaiting response... 301 Moved PermanentlyLocation: http://bit.ly/d62dIW [following]--2010-06-21 14:18:45-- http://bit.ly/d62dIWResolving bit.ly... 220.127.116.11, 18.104.22.168, 22.214.171.124, ...Connecting to bit.ly|126.96.36.199|:80... connected.HTTP request sent, awaiting response... 301 MovedLocation: https://www.donanza.com/publishers?utm_source=twitter&utm_medium=pbl&utm_campaign=cpb#uexox [following]--2010-06-21 14:18:45-- https://www.donanza.com/publishers?utm_source=twitter&utm_medium=pbl&utm_campaign=cpbResolving www.donanza.com... 188.8.131.52Connecting to www.donanza.com|184.108.40.206|:443... connected.HTTP request sent, awaiting response... 200 OKLength: unspecified [text/html]Saving to: `publishers?utm_source=twitter&utm_medium=pbl&utm_campaign=cpb'[ <=> ] 11,236 --.-K/s in 0.1s2010-06-21 14:18:46 (99.4 KB/s) - `publishers?utm_source=twitter&utm_medium=pbl&utm_campaign=cpb' saved 
It seems as though the purpose of these Spam links/accounts is to do some affiliate or click schemes.