Los Angeles — Twitter members have been once again targeted on Wednesday with what appears to be the second phishing attack in a week, which displays a message that says “This you????” followed by a link that directs to a fake Twitter log-in page, according to a security blog post by Sophos’ Graham Cluley. Users are warned not to click on “This you????” messages.
The attacks are spread via messages tagged “This you????” followed by a link to an external site which is intended to harvest passwords. Earlier in the week, a phishing attack Earlier by the “Lol” via direct messages that were widely distributed because of third-party services such as GroupTweet, according to Sophos. Compromised accounts were then used to send pharmaceutical spam for herbal Viagra.
This screenshot shows the message sent in the latest phishing attack to hit Twitter. (Credit: Sophos)
Both attacks also direct victims to a fake log-in page. If a user enters the log-in credentials, the attackers have control over the user’s account and can retweet the phishing message from that account.
Users providing their log-in details are shown a bogus Twitter “fail whale” before being taken back to the real Twitter main page, meaning they may not realize that their information have been compromised.
“It is bad enough if hackers gain control of your Twitter account, but if you also use that same password on other web sites (and our research shows that 33 per cent of people do that all of the time) they could access your Gmail, Hotmail, Facebook, eBay, PayPal, and so forth,” wrote Sophos senior technology consultant Graham Cluley in a blog posting.
“So be careful about the links you click on, choose a strong password and, if you have found that you are spreading suspicious messages from your Twitter account or believe that you have been compromised, change your passwords immediately.”
Data security experts Imperva recently disclosed that passwords to Web 2.0 services like Twitter are commanding big bucks on the cybercrime black market.
“There are accounts of Twitter credentials changing hands for up to $1,000 owing to the revenue generation that is possible from a Web 2.0 services account,” said chief technology officer Amichai Shulman.
“Twitter accounts are very precious to criminals who will use almost any technique to collect user credentials, including targeted phishing attacks. Once a fraudster gains access to a Twitter account, they can misuse it in a variety of ways to further their fraudulent activities,” he said.
“If this is not a wake-up call to anyone with multiple IDs that use the same password, I do not know what is. Internet users — especially those with business accounts — need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials,” he added.
Security-as-a-service firm ScanSafe released a set of guidelines yesterday outlining what to do if a social networking account has been compromised.