followed by a shortened link pointing to a bogus Web page that is posing as the Twitter login screen.
The following YouTube video demonstrates what the phishing attack looks like:
Of course, as I describe on my blog on the Sophos Website, entering your Twitter username and password on the fake login page is a very bad idea -- you're not only handing over your Twitter details and control of your account, but you could also be exposing your entire online life.
This attack follows quickly on the coattails of another cyberattack against Twitter users: the BZPharma LOL phishing attack.
As I've explained before, you should never use the same username and password on multiple Websites -- and yet 33% of people say they do that all the time.
It's like having a skeleton key that opens every door: If the bad guys grab your password in one place, then they can try it in many other places.
Also, you should ensure your password is not a dictionary word and is suitably complex so it's hard to break with a dictionary attack.
So if your account was hacked in this Twitter phishing attack, change your password now. You would also be wise to check your Twitter account and check the Settings/Connections screen. If there are any third-party applications you don't recognize listed there, then revoke their permission to access your account.
Graham Cluley is senior technology consultant at Sophos, and has been working in the computer security field since the early 1990s. When he's not updating his award-winning other blog on the Sophos website, you can find him on Twitter at @gcluley. Special to Dark Reading.