Horrible blog going around about you? Or a Twitter phishing attack?

Filed Under: Phishing, Social networks, Spam, Twitter

Malicious TwitterYou may not realise it, but your Twitter account is worth money.

Cybercriminals are keen to compromise your Twitter account, so they can spam out messages (either as public tweets, or less obvious direct messages to your online friends) in the hope that some recipients will click on the links.

What lies at the end of the links can vary. It might be a webpage offering you a new wonder diet, or a pornographic website, or a link to a download designed to infect your computer.

But first they need to commandeer your Twitter account, and the simplest way for them to do this is just to ask you for your Twitter username and password.

Here's an example of the latest attack that has been seen on Twitter. The message arrives in the form of a direct message (DM), and has a pretty enticing reason for you to click on the link:

Phishing tweet

Read this yet? horrible blog going around about you [LINK]

In the example above, the DM has come from an account that has already fallen victim to the scammers. Ironically in this example, shared with us by Naked Security reader @basexperience, the owner of the account which has been taken over by cybercriminals is a division of the UK's Sussex Police Force. Whoops.

So, what happens if you click on the link?

Well, you'll be taken - via some redirects - to a website which looks like this.

Twitter phishing website

At this point, you think that your Twitter session has timed out - and you may well be tempted to enter your userid and password.

Stop. Right. There.

Let's take a closer look.

Close-up of Twitter phishing website

Did you notice? This site isn't the real twitter.com - it's a lookalike phishing site called "twittelr", designed to steal your login credentials so cybercriminals can use your account to spew out spams, scams and other nasty links. They could even read your private DMs if they wanted.

If your Twitter account has been sending out messages that you didn't authorise, change your password immediately (make sure it's unique, and you're not using it anywhere else on the web), and visit Settings/Connections to double-check that you have only allowed applications you are comfortable with to integrate with your account.

If you're on Twitter and want to learn more about threats, be sure to follow me at @gcluley and the rest of the @NakedSecurity team on Twitter.

, ,

You might like

3 Responses to Horrible blog going around about you? Or a Twitter phishing attack?

  1. John · 1102 days ago

    LOL Most people don't care until it happens to them, and then they are relatively alone in the caring department. It will not be until "the authorities" do something serious and extreme to curb this ind of crap that anything meaningful will happen. There are too many other important things (like getting mine for me right now) going on for this to ever get any meaningful attention. Track down the culprits, make it very, very painful, and it will go away; not worth the risk. Threat it like a mild annoyance and it will get worse, like it has been.

  2. GoodHackers · 1101 days ago

    Their database is flooded and can't take no more requests, + (site has been reported to US-phishing gov)

    site Header response:
    HTTP/1.1 200 OK
    Date: Sun, 30 Oct 2011 01:46:48 GMT
    Server: Apache/1.3.33 (Unix) mod_throttle/3.1.2
    X-Powered-By: PHP/4.3.11
    Connection: close
    Content-Type: text/html
    Content-Length: 526

    Site body Response: (they write to a file)

    Warning: fwrite(): supplied argument is not a valid stream resource in /www/users/twittelr.com/app/login3.php on line 6

    Warning: fclose(): supplied argument is not a valid stream resource in /www/users/twittelr.com/app/login3.php on line 7

    Warning: Cannot modify header information - headers already sent by (output started at /www/users/twittelr.com/app/login3.php:6) in /www/users/twittelr.com/app/login3.php on line 8

  3. If you use one of the various password handling programmes (I use 1Password - https://agilebits.com/onepassword), but the others should works similarly, then this attack will fail (unless you deliberately force it to enter your password) because the domain of the requesting page does not match the domain that you originally set the password for within 1Password.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.