Users are lured via messages posted by victims of the attack. They read: "WOW --> I have spent 38.1 hours on Twitter! See how much you have: [LINK]"
Clicking on the link takes people to a page prompting them to authorize an app called "TimeSpentHere" to use their accounts.
The app asks for permission to read a user's tweets, see who they follow, update their profile and, most importantly, post tweets on their behalf. This last functionality is being abused and serves as the scam's propagation mechanism.
Users who give this app access to their profile are taken to a page that asks them to input their email address allegedly for verification purposes before displaying their calculated time.
"Possibly this is an attempt to harvest email addresses, which could be used later for a phishing campaign or malware attack.
"It could - of course - be weeks or months before the scammers use any information they grab for criminal purposes," warns Graham Cluley, senior technology consultant at Sophos.
Scams using rogue apps are becoming increasingly common on Twitter, after they have actively plagued Facebook users for more than a year.
If the Facebook attacks are any indication, they won't go away too soon, so users need to educate themselves about not giving untrusted apps access to their profiles.
Users who have fallen victim to this latest scam should go to their account settings, the applications tab, and revoke access to TimeSpentHere and any other app they don't recognize or need.
They should also go back in their timeline and remove any spam tweets posted by the app without their knowledge. This will prevent their friends from also falling victim to the scam.