If you're a registered Twitter user, chances are that you may have been subjected to a phishing campaign over the weekend. A slew of compromised accounts were sending out direct message spam to their followers, with messages such as:
A direct message from a friend on Twitter. The link redirects to a fake Twitter login page.
The URL re-directon takes you to a site hosted on bzpharma[dot]net that looks like an authentic Twitter login page. However, this page is in fact a faux login page, designed to trick a user into submitting their Twitter login credentials.
The same domain is also home to a Bebo phishing campaign. However, the Twitter campaign we've observed saw a lot of traction over the weekend. We have not yet seen the Bebo campaign in the wild.
The compromised Twitter accounts were used to continue spamming out phishing links through Direct Messages as well as in tweets:
Search results on Twitter show this phishing campaign marches on
The purpose of these phishing attacks on Twitter users is to gain access to these accounts and use them for spamming purposes.
The same account involved in the phishing attack is now being used for spamming.
It's no surprise to learn that the site in the direct message spam redirects to a spam domain, particularly the male enhancement pharmaceutical spam, which we're accustomed to seeing through e-mail spam.
Pharmaceutical spam spreading through Twitter
The success of these phishing attacks underscores the importance of trust that end users place in these services. Users are more likely to click on a link from a trusted friend rather than a stranger. Therefore, when Twitter users begin receiving links via direct messages or @replies from a friend, the likelihood that they will end up clicking through is much higher than those links sent by the random followers.
Update: The bzpharma domain is not currently active. However, a slight variant of this campaign has been seen today, hosted on kevanshome[dot]org.
Fake Twitter Login Landing Page from this campaign
If you have fallen prey to one of these phishing campaigns, we urge you to change your password immediately.
We implore users to proceed with caution when presented with links on Social Networking services like Twitter. Especially when these URLs can also be obscured behind shortened URLs.
Update: We have seen a variant of this campaign today that uses a URL shortening service to obscure the destination URL:
Twitter user warns friend that their account has been compromised.
Historically, we've seen phishing attempts on MySpace where users click on a link and are prompted to log in to the service again. Usually, the user was never logged out to begin with, but this clever tactic usually works to convince the user that they must have been logged out somehow. If faced with this scenario, we suggest re-entering the destination site (like Twitter.com) into the browser and checking to see if you are still logged in.
We cover similar attacks that we've observed on Social Networks in the second half of 2009 in our Security Labs Report - January 2010
