Phishing Scam Harvests Tumblr Passwords

An ongoing phishing attack continues to steal login credentials of several thousand users on the social-blogging platform Tumblr.

The phishing attack harvests user login credentials for Tumblr accounts from a fake login page, Christopher Boyd and Jovi Umawing, security researchers at GFI Labs, wrote in their analysis of the Tumblr scam on 28 June. Once user credentials are stolen, the scammers hijack the user’s Tumblr page to spread the scam further.

The attack relies on Tumblr accounts that have already been compromised. The hijacked Tumblr pages look like the actual login page, with a message, “This page contains adult content. Please revalidate your credentials.” Scammers have collected thousands of login credentials using these zombie login pages, Boyd and Umwaing said.

“It seems the lure of sexual content will work as many times as Lucy can pull the football out each time Charlie Brown tries to kick it,” wrote Randy Abrams, director of technical education, on the ESET blog.

Fake login page

Once a user has been compromised, the scammers hijack the user’s Tumblr site and turns it into the fake login page. The account then “follows” other users. When users see a new follower and click on the name to see more information, they are shown the fake login page, restarting the attack cycle all over again.

“Somebody started following me so I went to check out their blog and just saw this [login screen]. Hurray, a new wave of virus going around tumblr,” wrote a user warning others of the scam.

There are also other phishing sites designed to look like official Tumblr pages that direct users to malicious domains that have the fake login screen in place.

The attack is “cunning” Abrams said, as it used URLs that look like they could be legitimate Tumblr addresses when they really aren’t. The three domains, tumblrlogin, tumblriq and tumblrsecurity, have been registered within the last two weeks and are being run from free hosting services, according to researchers. While they are no longer resolving, that doesn’t mean there aren’t other sites still tricking users, Boyd and Umwaing said.

A game of numbers

Firefox is already blocking the sites as dangerous. Tumblr is warning users to not enter passwords on any site other than the main login page and to change passwords immediately if phished. Tumblr is also restoring sites for those users who have been compromised and are still tracking down the source of the scam.

“Phishing is a game of numbers,” wrote Stefan Tanase, a senior security researcher at Kaspersky Lab, wrote on the Securelist blog. Even though many users are aware of phishing, enough still fall for the scam that cyber-criminals can still easily compromise thousands of accounts, Tanase said.

Boyd and Umawing claimed to have seen some of the data containing the stolen information. With “8,200 lines of text stretched across 304 pages of Microsoft Word,” the stolen data is “quite the goldmine of pilfered login credentials,” the researchers wrote.

Login information for a site like Tumblr might not seem like much, but a recent analysis on leaked password data and several high profile data breaches have shown that users continue to have a high rate of password usage across websites and services. Compromising one service often means attackers have enough information required to break into other services, including email and bank accounts.