New phishing campaign ongoing

May 22, 2009 08:02 GMT  ·  By

A new phishing campaign has hit microblogging service Twitter, security researchers warn. Users are spammed with a short URL pointing to tvviter.com, where a fake Twitter login page attempts to trick them into handing over their login credentials.

Just as it is the case with many phishing schemes, this one also preys on the curiosity of people. This is reflected in several aspects of the attack. First, the cybercrooks set up fake, randomly named accounts, such as 3XNJTVJG0SYIKDH. They then post a single update of the form: "check this guy out [TinyURL]."

The account is then used to start following other users, who will be notified by Twitter via e-mail about their new follower. The strange name alone might be enough to entice people into checking it out and seeing the bait message. Furthermore, clicking on the shortened URL will open a link to tvviter.com, where they will be served with a Twitter-like login page.

This has the purpose of tricking users into believing that, for some reason, their session has expired and they need to re-authenticate in order to continue to the actual destination page. The domain name itself has been particularly chosen to keep potential victims unwary of the attack.

"Further analysis suggests that there are many other bogus Twitter users out there telling you to 'check this out' and pointing to the same TinyURL link this morning," Graham Cluley, senior technology consultant at Sophos, warns. He also advises that falling for this trick "could lead ultimately to some painful identity fraud, as well as your account being used for the purposes of spam or spreading malware)."

The popularity boom registered by Twitter during the past year has also attracted a lot of cybercriminals, who are trying to profit from the heavy traffic and massive user base. Beginning with this year in particular, the website's administration has had to deal with a constant stream of security incidents, ranging from phishing and spam campaigns, to clickjacking and account hijacking through brute force and social engineering.

A bunch of serious cross-site scripting weaknesses has also been found on the website. Last month, the Twitter staff were forced to play a cat-and-mouse game with a hacker calling himself Mikeyy, who released at least four XSS-based worms on the network during the course of a single week.