Breach, Data Security, Incident Response, Malware, Phishing, TDR, Threat Management

Phishing scam hits Twitter

Updated on Wednesday, Jan. 7 at 1:24 p.m. EST

Thousands of Twitter users may have had their accounts hijacked and passwords taken in an ongoing phishing campaign.

The first wave of the campaign surfaced this weekend when Twitter users began receiving fake direct messages (DMs) stating, “hey! check out this funny blog about you [URL],” with a link to a phishing site -- a bogus but legitimate-looking Twitter login page that attempts to trick users into handing over their username and password.

The phishing attack directed users to a server in China, Richard Stiennon, chief research analyst of consultancy IT-Harvest, told SCMagazineUS.com Monday.

Twitter, a popular micro-blogging site that allows users to communicate with others through a series of short messages known as "tweets," posted a blog entry about the incident, warning users about the dangers of phishing sites and encouraging them to change their passwords.

Though the actual number of compromised accounts is unknown, Stiennon, who is also an avid Twitter user, estimated on his blog that some 10,000 people succumbed to the attack.

“Yesterday, I had 3,300 'followers' and received seven copies of the Direct Message inviting me to the phishing site," he said. "If my followers represent a cross section of five million accounts then you could calculate that over 10,000 people succumbed to the attack as evidenced by their DMs."

In an unrelated incident, an attacker was able to hijack the Twitter accounts of 33 high-profile members, according to a separate blog post on Monday. (SC Magazine had originally reported that this was related to the phishing scam).

The hacker performed a "dictionary attack" on a Twitter employee's account, an automated technique in which a program attempts to guess the password by trying a long list of possible answers. Once he was in, he gained potential acess to the credentials of all Twitter users because the victim had administrative privileges, according to a Wired story. The hacker later gave away the usernames and passwords upon request, through an underground forum.

As a result, a number of individuals were successful in posting fake updates, or "tweets," to 33 high-profile accounts, Twitter said. The accounts of Britney Spears, Fox News and President-elect Barrack Obama all seemed to include bogus updates, in some cases, bordering on the obscene.

With the phishing scam, Twitter said that the suspicious site to which the fraudsters are trying to divert users is being blocked.

“Look closely at the URL field," the company said. "If it has another domain besides Twitter but looks exactly like our page, then it's a fraud and you should not sign in."

The bogus messages seem to come from someone the user knows or has connected with – a social engineering tactic used to add legitimacy to the scam, Graham Cluley, senior technology consultant of Sophos, told SCMagazineUS.com Monday.

Meanwhile, a second wave of DMs is also being actively spammed to Twitter users. Users are receiving messages stating, “hey. i won an iphone! come see how here [URL],” with a link to a website that attempts to get users to again enter personal information, including cell phone numbers. The website also says it will sign users up for text messages at a cost. 

Individuals responsible for those messages may be making money as affiliates with the company that is offering the iPhone giveaway, Cluley said.

“By going to the website and filling in the form, they will make money by sending you text messages, and you will pay through your phone company,” he said. “I think one of the affiliates may be responsible for the spamming.”

Stiennon said the phishers may have launched the attack to make money by generating traffic to certain websites. Or the campaign could have served as proof-of-concept to demonstrate how many Twitter accounts are susceptible to compromise.

For example, consider the stock market implication had the hackers falsely posted on Fox News' Twitter page that GM filed for bankruptcy, Stiennon said.

“It's not limited to the social networking site,” Stiennon said. "The problems can cascade into real life.”

A third possibility, as played out Monday, is that hacked Twitter accounts were meant to embarrass their owners, Stiennon said.

Users should immediately change their passwords, and if they use those same credentials for other applications, such as banks, they should change those passwords too, Cluley said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.