Note: Written by Aaron Newman, President & Found of Techrigy SM2
This morning as I connected to Twirl, I got a few odd DMs. Below they are listed:
- davidlower hey look at this funny blog http://rosalierebyb.blogspot.com/
- jeffreynew hey look at this funny blog http://rosalierebyb.blogspot.com/
- bretbernhoft hey look at this funny blog http://rosalierebyb.blogspot.com/
And:
- AntiqueCellar Hey, i found a website with your pic on it... LOL check it out here http://twitterblog.access-logins.com/login
Seeing the exact same 3 Twitter DMs made it clear to me that there was something wrong going on. I clicked through to @bretbernhoft's timeline and saw:
- bretbernhoft Someone has just hacked my account. I am going to change my password. Sorry to everyone for the hasstle!
This seemed to confirm my suspicions. Of course, being a founding member of the Web Application Security Consortium (http://www.webappsec.org/), I had to start seeing what these links lead to. You should not follow these types of links unless you know what you are doing.
I booted up a clean virtual machine, disabled Java script, and followed the link. The link to http://rosalierebyb.blogspot.com/ uses a redirect to send you to http://twitterblog.access-logins.com/login. This page is an exact copy of the Facebook login page and is a ruse. Many unsuspecting users will see this page and think they must enter their Facebook username and password. This is a big no-no. Never give an untrusted site the username and password for another application.
Note: Within 15 minutes of my first test Google jumped on this and disabled the blog http://rosalierebyb.blogspot.com/ as the message now displayed is:
"Blog has been removed
Sorry, the blog at rosalierebyb.blogspot.com has been removed."
The second phishing attack was slightly different as it took me directly to http://twitterblog.access-logins.com/login which is a fake Twitter login page.
Once the user enters their Twitter username and password, likely an automated program setup by the hacker uses your credentials to log into your account and start DMing people to get more usernames and passwords.
This is a typical phishing attack. Currently it is not causing any damage, simply spreading itself to more and more accounts.
I decided to investigate more so I went to twitter search and did a quick lookup on hacked.
I got a ton of results reflecting that there were a lot of people talking about the phishing attacks.
Realtime results for hacked
2 more results since you started searching. Refresh to see them. DanielSvedka: @ozzyuk If her account was hacked and she can't get in... how did she tweet about it being hacked?
1 minute ago · Reply · View Tweet · Show ConversationHide Conversation
AcmePhoto: Lots of Twitter dm - Direct message spam from accounts who have been hacked saying to go to blogspot addy. Were accounts phished, or ???
2 minutes ago · Reply · View Tweet
lattelady: @journey2learn I think you've been hacked.
2 minutes ago · Reply · View Tweet
iwearyourshirt: @melisssah your account has been hacked, just got a phishing DM from you!!
2 minutes ago · Reply · View Tweet
marismith: Yikes! 7 of those horrid phishing emails in my DM box. Lotsa accts still being hacked. Do not click suspicious links in your DMs.
3 minutes ago · Reply · View Tweet
PawLuxury: @thomaspower Not sure why you tweeted those fake phishing scam links, but please don't. If your account was hacked just change your Password
4 minutes ago · Reply · View Tweet
HourDeal: Sorry if you received a direct message from HourDeal referencing a blog. This was NOT from HourDeal. We were hacked. Our apologies again.
4 minutes ago · Reply · View Tweet
north100: Just received two fake DMs too from hacked @twinbirch account
5 minutes ago · Reply · View Tweet
scotthack: @GlenWoodfin Send them a message and tell them to change their password. Their account has been hacked.
5 minutes ago · Reply · View Tweet
bud_caddell: @jiibe have you been hacked mate? did you mean to send me that DM?
5 minutes ago · Reply · View Tweet
luckystartups: WOW what is going on with the HACKED twitter accounts? Now I am getting requests 2 check out blogs. Is anyone getting anything weird from us
5 minutes ago · Reply · View Tweet
As well, it seems Mashable.com put out a warning last night.
I expect this is not the end of the spreading, but I imagine the people at Twitter ought to be able to shutdown the spreading fairly quickly. AS well, this is not the first attack we have seen on social media. We saw a worm on MySpace a few years ago call the Sammy worm (http://namb.la/popular/tech.html).
These attacks are dependent on people not being cautious about entering their username and password. This is not helped by the many social networks that ask for your Gmail or Yahoo email password so they can "invite" people in your address book. You should never give one of these services the username or password for a different application.
You can follow Aaron on Twitter: @AaronNewman
