Twitter Reveals Phishing Attack Details

Officials at Twitter reset users passwords after malicious Torrent sites and “get followers fast schemes” caused a surge in followers for certain accounts

Twitter revealed more details about the phishing attacks that caused the company to reset the passwords on some user accounts.

According to Twitter Director of Trust and Safety Del Harvey, there was a sudden surge in followers for certain accounts during the last five days. For that reason, the company decided to push out a password reset to the accounts, he said.

After launching an investigation, Twitter officials linked part of the problem to malicious torrent sites.

“It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own,” Harvey blogged. “However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up.”

“Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information,” he continued. “This information was then used to attempt to gain access to third party sites like Twitter.”

Harvey stated that Twitter has not identified all of the torrent forums involved, but urged anyone who has signed up for one built by a third party to change their password there.

“The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites,” he blogged. “Through our discussions with affected users, we’ve discovered a high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts.”

Not all of the accounts affected were linked to Torrent sites, Harvey added. A Twitter spokesperson told eWEEK Europe that some users had signed up for “get followers fast schemes.”

“As part of Twitter’s ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite,” said the spokesperson. “In one case, a number of accounts posted updates indicative of given their username and password to untrusted third parties. While we’re still investigating and ensuring that the appropriate parties are notified, we do believe that the steps we’ve taken should ensure user safety.”

Twitter is no stranger to phishing. Last May for example, security vendor Sophos detected a phishing scam where attackers used a URL shortening service to disguise a link to a phishing site that requested the victim’s Twitter credentials. Sophos also recently published a survey highlighting the security risks of social networks such as Facebook, MySpace, Twitter and LinkedIn.

Twitter has made some tips for keeping accounts safe available here.