Even Twitter isn't safe from phishing. Phishers are now targeting the microblogging service Twitter to promote a widespread phishing campaign tricking celebrities and other users into submitting their personal information for identity theft and other illegal activities, experts say.
Like similar phishing scams seen on Facebook and MySpace, the latest version of the Twitter attack targets numerous celebrities, including President-elect Barack Obama, Britney Spears, and CNN anchor Rick Sanchez, among others, who have claimed to have fallen for the scam.
Since the weekend, the phishing attack has appeared to evolve into a traditional malware campaign in which users are enticed to click on malicious links for sites that contain keystroke loggers and other information-stealing code, experts say.
"We've already seen it move to a very traditional kind of phishing attack," said Marina Merritt, Internet safety advocate for Symantec. "As (attackers) get people to click that link, there are so many exploits."
Like traditional phishing attacks on other social networking sites, the Twitter messages seem to come from someone that the victim knows. The attackers send what appear to be personalized "tweets" containing a link to a Web site impersonating the Twitter login site. In fact, the link leads users to a fake login page designed to trick them into handing over their usernames and passwords. Twitter said that the phishing attack domain appears to originate from China. The news was initially broken Jan. 3 by blogger Chris Pirillo after he received one of the phony Twitter messages used in the attack. Since then, Twitter posted a security advisory on its site warning users of the scam.
"This is NOT the Twitter login page, and it smells completely phishy," Twitter warned in its posting. "Suggestion: do NOT log in to your Twitter account through any site other than Twitter.com. This may go without saying, but consider how many third-party Twitter services you use? Seems it's about time for some kind of verification/validation or applications using the Twitter API " so you can be sure you're passing your credentials to the right people."
The attack has advanced with several variations, including a scheme to trick users into logging in with their cell phone number, in an attempt to steal prepaid account information, experts say.
The phishing attack appears to have spread rapidly over the last two days, although experts say that it is still too early to precisely assess the number of victims.
Meanwhile, security experts strongly recommend that users avoid clicking on links from unknown sources. That goes doubly for forums like Twitter, where the user's ability to guess the origin of the sender is somewhat cloaked, Merritt said. "We've always said that's a bad idea. It's really too hard to identify a safe URL from an infected URL," said Merritt. "
Twitter users who think they've fallen for the attack are immediately advised to change their passwords and login credentials, Merritt said.
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
|
10 Security Predictions For 2012 CRN looks into its crystal ball and sees Android, hactivisim and cyber-espionage as some of the top 10 security threats in 2012. |
|
10 Biggest Security Breaches Of 2011 The Top 10 Security Breaches of 2011 show hackers were relentless in their pursuit of profit, compromising computer systems of universities, video-game makers and the largest banks. |
 More
Slide Shows |
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
- Remote Management and IT Security: Building Profits While Reducing Costs
