Video of Twitter phishing: The BZPharma 'LOL this is funny' attack

Filed Under: Phishing, Social networks, Spam, Twitter, Video

Twitter users are being warned about a widespread phishing attack spreading across the system, designed to steal the usernames and passwords of unsuspecting members.

Messages include

Lol. this is me??
lol , this is funny.
Lol. this you??

followed by a link in the form of

http://example.com/?rid=http://twitter.verify.bzpharma.net/login

where 'example.com' can vary. As we have seen many variations of the URL in its entirety, you would be wise to avoid clicking on any links which refer to bzpharma.net at the very least.

Watch this YouTube video for more details:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Although Twitter has urged users to be vigilant about the threat being distributed via private direct messages, it's clear that dangerous links are also being posted in public feeds. This means that you can stumble across the links even if you aren't sent it directly, or even if you are not a signed-up user of Twitter.

It appears what is happening is that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message (DM) functionality and allow private messages to be sent to multiple users *and* optionally made public.

As a result, as you can see in the video above, we have found Twitter accounts that have warned their followers about the phishing attack, only to subsequently fall victim to it themselves!

Regardless of how you come to click on the dangerous link, if you do enter your username and password on the fake Twitter login page your details will be phished and placed in the hands of hackers.

Twitter phishing website on bzpharma.net

The page then displays a "fail whale" screen, claiming that Twitter is over capacity, before taking you back to the real Twitter main page. As a result, compromised Twitter users may not realise that their login details have been stolen.

Interestingly, the bzpharma.net site doesn't just appear to have been set up for Twitter phishing. It appears to also have been created for stealing the online identities of the Bebo social networking site too:

Bebo phishing page on bzpharma.net

If you have been tricked by the phishing attack and accidentally handed over your username and password, change your password immediately.

We're going to see many more attacks against social networks in the future I'm afraid. Last month, Sophos published its Security Threat Report revealing that there had been an astonishing 70% rise in the number of users reporting spam and malware attacks via social networks in the last year.

Update: The phishing campaign appears to be bearing fruit for the hackers as they are now distributing spam selling herbal viagra from the compromised accounts. Learn more now.

Sophos at RSA

PS. If you're attending the RSA Conference in San Francisco next month, please come and hear me talk about the growing problem of cybercrime on social networks.

I'll be showing some live demonstrations of attacks and discussing how the problem has grown in the last year.

I'm also roped into giving regular presentations on the Sophos booth on the subject of social networking security, and I'm giving a conference paper "Web 2.0 Woe: Cybercrime on social networks" (Session ID: HT1-204 1pm, 3 March 2010).

I look forward to seeing some of you there.

, , , , ,

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.