Off the rails: Twitter, passwords and Twittertrain

If someone promised they could get you hundreds of new followers on Twitter every day would you believe them?

Would you be prepared to hand over your Twitter username and password to them?

Well, a website called Twittertrain is promising to do just that – inviting fans of the micro-blogging website to enter their credentials.

However, what’s worst of all is that hundreds and hundreds of Twitter users are currently advertising the site, all with the same message:

OMG WOW Im getting 100s of followers a day. Check out this site

I don’t think I’m stretching my neck out too far if I make the prediction that I doubt these users are choosing to advertise the Twittertrain site. My guess is that someone else is posting the messages promoting the Twittertrain site. Now, who on earth would be motivated to do that I wonder?

And what are they planning to do with all these usernames and passwords?

Twitter user advertising the Twittertrain website

Here’s a short video I’ve made demonstrating the scale of the problem:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Of course, you’re playing a very dangerous game if you hand over your username and passwords to a website like this. There’s no promise that you will get the hundreds of new followers that you are dreaming of, and furthermore hackers might break into your account to send spam, spread malware or launch further phishing attacks.

Certainly the number of Twitter users promoting Twittertrain today suggests that something very fishy is going on.

If you did make the mistake of giving Twittertrain your username and password, change your passwords immediately. You can read some more tips about passwords in the video I posted here.

Hat-tip: Thanks to @rik_ferguson for first bringing this attack to my attention.