Tumblr Hit With Massive Phishing Attack
The Tumblr phishing attack , first detected by researchers at GFI Labs in mid-June and stepping up its attack this week, employs all the usual social engineering tricks to entice users to hand over login credentials that let attackers access their accounts.
During the attack, Tumblr users are enticed with a message promising the chance to view "hidden” pornographic content "This page contains adult content. Please revalidate your credentials,” the spam message said.
However, as in most phishing attacks, users are asked to re-enter their login credentials in order to view the illicit content.
Once users’ submit their logins, the scam hijacks their pages and converts them to fake logins, which are then resent out to compromise yet uninfected Tumblr accounts. Subsequently, a new crop of victims will visit the fake login and enter their credentials, further propelling the attack.
“What started off as a strange (if rather basic) ‘click the link to see an advert’ scam has now become a phishing problem so bad that Tumblr has a rather comprehensive dedicated autoreply for emails sent to their support team,” said GFI researchers Chritopher Boyd and Jovi Umawing, in a blog post.
GFI Labs researchers said the phishing attack data, which contained 8,200 lines of text stretched across 304 pages of Microsoft Word, was sourced to several domains, including tumblriq.com, tumblrlogin.com and tumblrsecurity.com.
One earlier version of the scam sourced to the tumbleriq.com domain started as an IQ test, serving up ads to compromised users promoting a “Tumblr IQ Society.”
Later versions of the scam targeted compromised accounts with a combination of Tumblr hosted text and login credential submission forms via free Web hosting accounts. In addition to asking users to login on the same page, the attack also redirected victims to the tumblrlogin.com Web site.
Boyd and Umawing said that thus far, the attack appears to have infected thousands.
“The problem has become so pervasive that regular Tumblr users are setting up dedicated anti-phishing sites to advise users of the problem,” the researchers said. “One of these sites actually pointed us in the direction of one of the dropzones used for the stolen logins, and the problem does indeed seem to be out of control at this point.”
The reason for the attack is yet unclear, but researchers speculate that it could be a way to acquire copious usernames and passwords that could also be used to access other, more sensitive accounts, such as banking, PayPal or e-commerce sites.
However, researchers warned that the attackers could revisit previous victims with a more malicious attack that launched malware designed to take over their entire system.
“They could well return at some point (indeed, one of the free webhost phish pages is still alive despite countless reports to the host) and Tumblr users would do well to verse themselves in the art of phishing scams, and fast,” they said. “These issues make the recent messaging spamrun on Tumblr look like a very small drop in the ocean at this point.”