Twitter Suffers Second Phishing Attack In A Month

Micro-blogging site Twitter has been hit by a phishing scam aimed at stealing users’ login details and passwords, and hijacking their accounts.

Scammers sent out direct messages on Twitter – containing text such as “lol, is this you”, “Lol. this is me??” and “lol, this is funny” – and linking to a site called “bzpharma.net”. Victims who click the link are redirected to a fake Twitter login page hosted on a website in China, where they are encouraged to enter their login details.

Once the hackers have the passwords they can use the accounts to send spam emails to all the users’ contacts. They can also change the users’ passwords, leaving their accounts inaccessible.

Twitter staff have warned users that the phishing messages are being sent by direct message, but Graham Cluley, senior technology consultant at security firm Sophos, says that they are also being posted in public fields.

“Although Twitter has urged users to be vigilant about the threat being distributed via private direct messages, it’s clear that dangerous links are also being posted in public feeds,” Cluley wrote in a blog post. “This means that you can stumble across the links even if you aren’t sent it directly, or even if you are not a signed-up user of Twitter.

“It appears that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message functionality and allow private messages to be sent to multiple users, and optionally made public,” he added. “As a result we have found Twitter accounts that have warned their followers about the phishing attack, only to subsequently fall victim to it themselves.”

Cluley advises anyone who has been tricked by the phishing attack and accidentally handed over their username and password to change their password immediately.

This is the latest in a stream of security issues on Twitter. Earlier this month reports emerged of another phishing attack on the micro-blogging site, resulting in administrators blocking some users’ accounts and forcing them to reset their passwords. Twitter officials linked part of the problem to malicious torrent sites.

“It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own,” blogged Twitter Director of Trust and Safety Del Harvey. “However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up.”

A recent report by data security specialist Imperva found that stolen Twitter credentials can be worth big bucks to criminals. “There are reports of Twitter credentials changing hands for up to $1,000 (£628) owing to the revenue generation that is possible from a Web 2.0 services account,” said the firm’s chief technology officer, Amichai Shulman. “This confirms our observations that credentials can fetch a high sum according to both the popularity of the application, and the ‘popularity’ of the account in question.”

“If this isn’t a wake-up call to anyone with multiple IDs that use the same password, I don’t know what is,” he added. “Internet users – especially those with business accounts – need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials,” he added.