Twitter Phishing Attack (Ongoing)
Twitter has been suffering through an ongoing phishing attack since some time yesterday. Generally speaking, the attack consists of a direct message (sometimes, apparently, from people you don’t follow or who don’t follow you) inviting you to click on a link to see a funny blog post or a blog post about you. Most of the tweets take a form similar to:
Check out this blog type website. you need to see it.. http://bloggertwit.access-logins.com/login
VERY IMPORTANT: The access-logins.com site has nothing to do with Twitter and is a phishing site. DO NOT GIVE IT YOUR PASSWORD.
It looks like the attackers are now shifting their strategy and using compromised accounts to send direct messages directing people to a site which redirects them to an affiliate, earning the attackers money for each click. The most recent message I received:
hey. i won an iphone! come see how here http://helloiphones.com
That site consists of a single page that then redirects to a free game site through an affiliate tracking link. Please don’t feed the beast by clicking on those links either as you’re helping to line the pockets of the scumbags who are perpetuating this in the first place.
If you’re a Twitter user, please help fight the attack by doing the following:
- Change your password on Twitter. You can find the Password fields on your Password page. Remember that you’ll need to change it with any third party applications you use, but double-check that they’re legitimate before you do.
- If you receive a direct message from one of your friends and it contains a link that takes you to a form asking for a Twitter password, DO NOT PROVIDE ONE. The forms have been designed to look like login forms for Twitter or other reputable services but are not. Logging in, as tempting as it might be, will compromise your account and spread the attack.
- If you get a phishing direct message from a friend, direct message them back to let them know their account has been hacked and they need to change their password ASAP.
There is some hope on the horizon: the Twitter team have acknowledged that they need to move to a more sophisticated form of authentication for API access that would no longer require you to give your password to third party sites. They are working on an implementation of OAuth (you’ve used OAuth if you’ve ever granted an application access to Flickr or a number of other sites), which they are expecting to be in beta soon. Maybe this will speed it up!
» January 5th, 2009, 2:46 am • permalink • categories: Observatory • tags: attack, oauth, phishing, scam, Twitter • Subscribe to comments for this entry through the 
RSS 2.0 feed.
» Please leave a comment below, or trackback from your own blog.
Posts (RSS)
delicious
Your best bet is to find out who the affiliate is and complain about the spam. if they don't get any money they will not get paid if they don't get paid they will loose that server!! Just an idea!!
Your last paragraph explains the real issue at work here. Twitter has trained people that it's cool to hand out their password to anyone and everyone asking for it. I'm actually surprised more people haven't had their accounts stolen by one of the many random sites that needs your password to do much of anything.
[...] know — and maybe that’s part of what makes the Twitter community so vulnerable to phishing attacks — but a handful of retweets later and we raised over $7,000 in less than two hours for a family [...]