In May, Snapchat released an update to the popular photo-messaging application that put the “chat” into Snapchat by allowing users to send messages within the app. We previously warned that criminals would inevitably leverage this feature in future spam campaigns. Sure enough, a number of Snapchat users have recently reported receiving chat messages and photos from their friends promoting diet pill spam.
Fruit spam on Snapchat
This is not the first campaign of this type we have seen. In February 2014, a number of Snapchat accounts were compromised and used to send images of fruit drinks, promoting websites called FrootSnap and SnapFroot.
Figure 1. Fruit spam on Snapchat in February 2014
The fruit-themed spam messages required users to manually visit the websites, and this extra step presented a challenge. These websites redirected to a site designed to look like Groupon.com, promoting a miracle diet solution called Garcinia Cambogia.
New diet pill spam on Snapchat
The latest round of Snapchat spam has seen spammers leveraging the native chat functionality instead.
The compromised Snapchat accounts send out a photo message of a box of Garcinia Cambogia, which is followed by a chat message that includes a suspicious link containing ‘groupon.com’ in the URL.
Figure 2. New Snapchat spam using native chat feature
As we reported in our previous blog, a link from someone that isn’t your Snapchat friend is not clickable. However, by compromising Snapchat accounts, spammers are able to insert clickable links into their messages based on who the compromised account is friends with.
Our video explains why attackers compromise social media accounts to promote diet pills.
Snapchat issued a statement to the BBC, saying that the accounts promoting these miracle diets were compromised. Snapchat said that credentials, obtained through a breach of another website, were reused on Snapchat accounts. Snapchat claims that the reason these accounts were compromised was because certain users reused the same password on multiple websites.
Secure your Snapchat account
There is no denying that password reuse is problematic and users should never use the same password for multiple sites; however, passwords by themselves are not enough. Some social networks have introduced two-step verification to help prevent unauthorized login attempts. Until Snapchat implements this feature, we strongly encourage users to change their Snapchat passwords to something stronger and, most importantly, something unique.