Twitter gets targeted again by worm-like phishing attack
Twitter users have been tricked into divulging their login and password details to a Web site that then spammed their contacts.
The culprit is a Web site called TwitterCut. Some Twitter users began getting a message that appeared to be from one of their friends and included a link to the TwitterCut Web site. The message implied they could gain more Twitter contacts by following the link.
At one time TwitterCut looked quite similar to the real Twitter login page, said Mikko Hypponen, chief research offer for the security vendor F-Secure.
If a person entered their login details, TwitterCut would then send the same message via Twitter to all of the victim's contacts, a kind of phishing attack with worm-like characteristics. No malicious software is installed on a user's machine, Hypponen said.
Although TwitterCut probably holds the login details for many accounts, it doesn't appear those accounts have been used to spam out links to more dangerous Web sites.
TwitterCut's Web site has been reported to services that blacklist potentially harmful Web sites, although it is still active. In a warning message now on TwitterCut, the site's operators said they didn't mean to phish people.
Instead, they say they were trying to create a so-called Twitter Train, which are sites that purport to quickly give Twitter users lots of followers. They said they bought the login script on their site for US$50.
"We were not phishing Twitter accounts whatsoever," the message said. "We're shutting down this site."
Hypponen said Twitter should be on the lookout for signs of spam, such as when an identical message appears hundreds and hundreds of times across users' profiles that isn't a "retweet," or the intentional reposting of other content.
Twitter could also screen URLs (Uniform Resource Locators) to make sure they're not already blacklisted for security issues, Hypponen said. Many Web browsers as well as search engines will either warn about or block suspicious Web sites.
Most URLs posted in Twitter have been shortened using services such as TinyURL in order to fit in the 140-character message length that Twitter imposes, obscuring the real destination and making users dependent on the trustworthiness of their friends when clicking links. The service was hit by other worms earlier in the year.
Twitter acknowledged the phishing problem late Tuesday night.
"We are currently pushing a password reset on accounts we believe may have been caught in a phishing scam," the company said. "Please exercise your best judgment when thinking about releasing your username and password to third parties."
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
