Twitter attack sends disturbing “Watch Movies/ Cartoons/ TV Shows” spams

Update:More than 1000 tweets have gone out with no perceived action from Twitter. Hopefully someone is working on this issue and will assist the victim accounts with resetting their passwords.

Update 2: Twitter took care of this issue on Monday morning.

Over 350 Twitter accounts have been compromised. This time they are being used to send out spam messages that direct people to a website that specializes in videos of “cute young boys.” The site does not appear to contain child pornography, but it is obviously walking that line very carefully.
Screenshot of hacked twitter accounts

These messages all share the common theme of trying to lure you to watch different types of online videos, and include a seemingly random number after the URL. Because this attack is not using a URL shortener, it is more difficult to put a stop to it without the assistance of the Twitter staff.

The attack began around 8:00 PDT (15:00 UTC) Saturday morning and seems to still be in progress. Like many previous attacks it appears to be using the direct API method of posting the Tweets, avoiding the hassle of having users authorize the application via OAuth. Twitter has announced they will be discontinuing the old API method, and this is more proof that they can’t do it soon enough.

The current HTTP API makes it easy for attackers to brute-force passwords of Twitter accounts, and unfortunately users are making this even easier. People choose very poor, easy-to-guess passwords for sites like Twitter, figuring that it is “not an important site, like my bank.” They are playing right into the hands of the sickos who are perpetrating these attacks.

Lesson? Use secure passwords everywhere… PLEASE. Your carelessness is causing the rest of us a lot of grief, and in this case has led me to a place on the internet I would rather not know about and wish didn’t exist.