Phish... it's what's for dinner

Filed Under: SophosLabs, Spam

I've been watching the latest phishing attack happening on Twitter for the last week or so. It seems to be one major campaign that keeps changing the DM (direct message) text every couple of hours. It's been messages like

"woah... you're on this "
"LOL..Nice look "
"This thing has your pic "

The links got to videos.twitter. and Sophos customers using the WS1000 are safe as we've been blocking the domain. Interestingly, we're now seeing new URL shorteners being used, such as and others. Seems the malware authors are tired of and blocking their stuff or perhaps because third party applications such as TweetDeck won't preview those, but will happily open them.

I had someone ask the question "Why phish for Twitter credentials?" We saw this type of attack on Facebook. Lots of phishing messages, links, and posts were posted to capture credentials. Then later on we saw the malware attachments spammed out to the email addresses associated with the compromised accounts and when the malware was run, it became part of a botnet to send yet more spam. Taking this history, we are wondering if this will take a similar turn and start sending out malicious emails purporting to be from Twitter saying "Update your account/password" or "Updated Terms of Service, please open."

Another reason for the phishing attacks would be to expand the "attack surface". More and more people are tweeting from their iPhones, Androids, Blackberries, Palms and other smart phones. This means a whole new vector to be exploited, since again, most third party Twitter apps do not preview the shortened URL.

We have to say it again, PLEASE be careful out there. Just because a message came from a friend/follower doesn't mean it's completely trustworthy. Check the link with an expander service such as LongURL, use NoScript and URL expander plugins and keep your security software and OS up to date. Otherwise, your machine is likely to be "dinner"


You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Beth Jones Senior Threat Researcher, SophosLabs US Beth manages the day-to-day research and analysis activities of incoming suspicious malware threats that arrive in SophosLabs via customers, partners and prospects. Beth has worked in Sophos's Boston lab for more than five years and brings nearly a decade of network security experience to Sophos.