Phishing For Tweets

A new phishing scam that targets Twitter users is a backhanded compliment to the messaging service.
A new phishing scam that targets Twitter users is a backhanded compliment to the messaging service.Twitter hit a new milestone this Saturday when the company posted a warning that phishers were targeting Twitter users. You know you've arrived when scammers decide your platform is big enough to be worth trying to spoof.

The scam relied on an e-mail message that claimed to come from Twitter. The message included a link to a false log-in page that would let the scammers capture the Twitter user's ID. The scammers could then use the ID to log on as a trusted Twitter user.

I'm guessing the next step for the scammers would be to send direct messages to other Twitter users, including a link that would download malware (keylogger, rootkit, etc.).

The blog post says it will reset the password of any Twitter user that may have logged into the fake site.

It's an interesting attack because it takes advantage of the trust between Twitter users. I know I click on links sent to me via other users all the time.

I'm not sure a phishing attack against the Twitteratti would be very successful. One the one hand, Twitter users are a fairly tech-savvy bunch, and might be wary of potential abuse.

On the other hand, the scammers used a potent bait: vanity! The scam message said something like "Hey, there's a funny post about you. Click this link!" I know I still get a thrill when I get an e-mail notification of a new follower, and could easily be tempted by such a message.

In any case, a snake has crept into the Twitter garden, and we'll all have to be on our guard.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5