Horrible blog going around about you? Or a Twitter phishing attack?

by Graham Cluley on October 14, 2011 | 3 Comments

Filed Under: Phishing, Social networks, Spam, Twitter

Malicious TwitterYou may not realise it, but your Twitter account is worth money.

Cybercriminals are keen to compromise your Twitter account, so they can spam out messages (either as public tweets, or less obvious direct messages to your online friends) in the hope that some recipients will click on the links.

What lies at the end of the links can vary. It might be a webpage offering you a new wonder diet, or a pornographic website, or a link to a download designed to infect your computer.

But first they need to commandeer your Twitter account, and the simplest way for them to do this is just to ask you for your Twitter username and password.

Here's an example of the latest attack that has been seen on Twitter. The message arrives in the form of a direct message (DM), and has a pretty enticing reason for you to click on the link:

Phishing tweet

Read this yet? horrible blog going around about you [LINK]

In the example above, the DM has come from an account that has already fallen victim to the scammers. Ironically in this example, shared with us by Naked Security reader @basexperience, the owner of the account which has been taken over by cybercriminals is a division of the UK's Sussex Police Force. Whoops.

So, what happens if you click on the link?

Well, you'll be taken - via some redirects - to a website which looks like this.

Twitter phishing website

At this point, you think that your Twitter session has timed out - and you may well be tempted to enter your userid and password.

Stop. Right. There.

Let's take a closer look.

Close-up of Twitter phishing website

Did you notice? This site isn't the real twitter.com - it's a lookalike phishing site called "twittelr", designed to steal your login credentials so cybercriminals can use your account to spew out spams, scams and other nasty links. They could even read your private DMs if they wanted.

If your Twitter account has been sending out messages that you didn't authorise, change your password immediately (make sure it's unique, and you're not using it anywhere else on the web), and visit Settings/Connections to double-check that you have only allowed applications you are comfortable with to integrate with your account.

If you're on Twitter and want to learn more about threats, be sure to follow me at @gcluley and the rest of the @NakedSecurity team on Twitter.

Tags: , ,

3 Responses to Horrible blog going around about you? Or a Twitter phishing attack?

  1. John says:
    October 14, 2011 at 8:59 pm

    LOL Most people don't care until it happens to them, and then they are relatively alone in the caring department. It will not be until "the authorities" do something serious and extreme to curb this ind of crap that anything meaningful will happen. There are too many other important things (like getting mine for me right now) going on for this to ever get any meaningful attention. Track down the culprits, make it very, very painful, and it will go away; not worth the risk. Threat it like a mild annoyance and it will get worse, like it has been.

    Reply Report comment
  2. GoodHackers says:
    October 15, 2011 at 10:49 pm

    Their database is flooded and can't take no more requests, + (site has been reported to US-phishing gov)

    site Header response:
    HTTP/1.1 200 OK
    Date: Sun, 30 Oct 2011 01:46:48 GMT
    Server: Apache/1.3.33 (Unix) mod_throttle/3.1.2
    X-Powered-By: PHP/4.3.11
    Connection: close
    Content-Type: text/html
    Content-Length: 526

    Site body Response: (they write to a file)

    Warning: fwrite(): supplied argument is not a valid stream resource in /www/users/twittelr.com/app/login3.php on line 6

    Warning: fclose(): supplied argument is not a valid stream resource in /www/users/twittelr.com/app/login3.php on line 7

    Warning: Cannot modify header information - headers already sent by (output started at /www/users/twittelr.com/app/login3.php:6) in /www/users/twittelr.com/app/login3.php on line 8

    Reply Report comment
  3. @nmeth says:
    October 16, 2011 at 11:58 am

    If you use one of the various password handling programmes (I use 1Password - https://agilebits.com/onepassword), but the others should works similarly, then this attack will fail (unless you deliberately force it to enter your password) because the domain of the requesting page does not match the domain that you originally set the password for within 1Password.

    Reply Report comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <strike> <strong>

About the author

Graham Cluley has worked in the computer security industry for more than 20 years, developing anti-virus software and doing quite a lot of talking about internet threats. He's won awards for his blogging, but is proudest of the text adventure games he wrote when he was still wearing short trousers. You can learn more about those (the games, not the trousers) at grahamcluley.com. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.