Twitter Phishing

There has been a phishing scheme running around on Twitter this weekend. But, so far, it’s a relatively easy one to avoid becoming a victim of. Here are some tips on the phishing mess.

(For more details, you can check @CXI‘s blog. He even set up a test account on Twitter to see what the phishers were up to.)

First, it is okay to check your DMs on Twitter. You don’t need to be afraid to check them. But, be careful about any links in messages from others, even if you know them. You won’t be affected by the scam just by reading your DMs.

If you click a link, DON’T PANIC! So far, there have been no reports of spyware, malware or viruses getting installed as a result of visiting the phishing site. If you’re concerned, you can run your anti-virus or anti-spyware/malware software to check your system out.

But, after clicking the link, it may appear as though you’ve been booted off Twitter and are being asked to login. DO NOT LOGIN! Look at the URL in the URL bar at the top of your browser. If it is not “” or “”, it is likely a phishing site. (See UPDATE VI below.) You do not want to give them your password. Just manually type in Twitter’s URL in your URL bar to return to Twitter.

As a precaution, you may also want to go into your browser and delete any cookies the phishing site may have sent.

If you’re not sure if you’ve logged into a phishing site (perhaps earlier, before you had heard about it), you might want to take the extra precaution of changing your Twitter password.

If you’re still really feeling uneasy, you can also run your anti-viral or anti-spyware software just to confirm you didn’t get hit with anything.

Please also be aware that the person (or persons) that sent you the phishing URLs may not be the actual scammer. Most likely, they were a victim and the phisher got their password and is now using their account to send more of the phishing DMs.

If you receive a phishing DM from someone, it’s probably a good idea to DM them back (or send an @reply if you can’t send them a DM) to let them know their account has been compromised and that they should change their password. This is the DM I send people:

Were you a phishing scam victim? Might be a good idea to change your Twitter password!

The URL takes them to a site that tells them about the phishing scheme.

The URLs that have been used for the phishing sites have been URLs. They were set up to redirect to another site, which puts up a screen that looks like Twitter’s login page. The plan is that people will think they were knocked out of Twitter and log back in. When they do, they are taken back to the real Twitter site, so the victim may be totally unaware that they just gave their password to the phisher.

It’s important to note that not all URLs are phishing sites. I’ve seen people warning others not to open any URLs. But, there are plenty of legitimate blogs that have URLs. So, you don’t need to be concerned about URLs in general, just specific ones. And, even if you end up at the phishing site, as mentioned above, you should be okay so long as you don’t login on the fake Twitter site.

For people using OpenDNS or Firefox 3, it appears that both of those are now blocking the phishing site. But, still be careful out there.

The short of it is that you should be careful, but don’t become irrational over the phishing attack.

Here are the known URLs of the phishing attack:

If a tweet or DM asks you to visit one of those sites, don’t.

Also, here are the known text of the phishing messages:

“hey! check out this funny blog about you…”

“Hey, i found a website with your pic on it… LOL check it out here”

“hey look at this funny blog”

I have not made the URLs clickable, but I am showing the messages and URLs in their entirety so you know what to look out for. Also, I am not identifying the senders, as the senders are likely victims and not the actual scammers.

UPDATE II: How to Report Phishing Sites


For Windows Internet Explorer 7 users

How to Report a Phishing Site to Google

How to Report a Phishing Site to Yahoo

UPDATE III: Info from Twitter

Here is Twitter’s blog post about the phishing scheme. Here is the link to the Twitter blog itself.


Found this post (by way of multiple people tweeting it) on How to Protect Your Twitter Account from Scammers. Good info with pictures.


A new phishing DM is going out. This is how it reads:

“fixed it.. hehe here is that blog i wanted to show you”

As Robin indicated in the comments, it is possible for a site to mask the URL so that the URL in your URL bar will appear to be the correct URL. Fortunately, that has not happened in this current phishing attack, but it is something to be aware of, especially seeing how the phishers have been continuing to morph their scheme. The best defense is to manually enter the URL of the site you want to visit.


Another new phishing DM is going out. This is how it reads:

“heyy!!! i want u to see my blog!! http://blogtwitter.access-logins/login”

UPDATE VIII: Twitter Phishing Scheme is Not a Virus

Judging by a lot of the tweets out there, some people are confusing the Twitter phishing scheme with a virus. As of this writing, I have not heard of anyone getting a computer virus from the phishing site. Just because people you know might be sending you DMs with the phishing site URLs does not mean that they have been infected by a virus. Let me explain how this appears to work.

Yesterday, some phishing messages went out. I don’t know who the originator was. Anyway, these phishing messages directed people to another site. As far as I know, the first site was the URL. If you went to that site, it redirected you to a page that looked like the Twitter login page. This tricked some people into thinking that they had been booted out of Twitter, so they logged back in.

When they did that, the phisher had their user ID and password, so they could access the user’s account.

Apparently, they turned around and used those accounts to send more DMs directing more people to fake Twitter login pages, from which they no doubt collected more user IDs and passwords.

They may not have even used all the user IDs and passwords they’ve collected yet, so this has the potential to continue for days.

That’s why it’s a good idea to change your Twitter password if you logged into a fake Twitter page. If you’re not sure, you might also want to change your Twitter password. Just because none of your followers haven’t received phishing DMs from you doesn’t mean that the phishers aren’t waiting until some future time to use your account to send them.

Of course, if you didn’t log into the fake Twitter page, at this point there is no reason for you to be alarmed.

Because the phishers are using the victim’s account details (user ID and password) to send these DMs doesn’t make this a virus. There is no evidence thus far of any virus being spread as a result. This is nothing more than the phishers using people’s passwords to gain access to their accounts and send DMs from them. Ergo, not a virus!


Yet another new phishing DM is going out. This is how it reads:

“Check out this blog type website. you need to see it..”

UPDATE X: Receiving Phishing DMs Not a Problem on Your End

If you receive a phishing DM, that does not mean that your account has been compromised. It means that the phisher got the password of the person sending it. Changing your password isn’t going to stop the DMs coming to you. Just delete the DM and move on. As suggested above, you might want to send a message to the person whose account sent the DM to let them know they’ve been affected and should change their password.

UPDATE XI: If Affected, Change Passwords on Accounts Using the Same Password

A good point from @CXI. If you were a victim of the phishing scam and have other accounts which use the same password, especially if they have the same user ID or a publicly known user ID, it’s a good idea to change that password on those other accounts as well so that the phishers can’t access them too.

UPDATE XII: This May Be What It was All About!

I’m seeing these new variants coming from affected accounts. Some I know to be affected because previous DMs sent the phishing messages. Others I am assumed to be affected.

“Wanna win the new iPhone? It’s so easy and cool, I love this thing! Visit:”

“Hey! I just got a FREE iphone from this website.. here”

If you go to the site, you will be presented with a seemingly harmless series of questions. First, it asks for your gender. Next, it asks for your cell phone carrier to see if you are “eligible.” After that, it asks for your phone number.

In fine print, there is mention of a $9.99/mo. service. I am guessing that, by entering your phone number, you will be signing up for that service.

My guess is that’s what this whole thing may have been about. Twitter is heavily used by mobile users, so what better way than to try to trick them into signing up for a service than by luring them in with a “free” iPhone?

I would not enter your phone number into that site. I wouldn’t bother with it at all! Just delete the DMs and stay away!

UPDATE XIII: Free iPhone Offer Site May Not Be the Phisher

As mentioned in the previous update, the last known round of the phishing URLs were links to sites like and If you visit those sites, you get redirected to a site with the iPhone offer.

Something I didn’t notice until later is that, somewhere along the line, cookies are set in your browser. These appear to be affiliate cookies of some sort.

So, it’s possible that the phisher is an affiliate of the iPhone offer site, and that the site itself is not to blame. It may be a legitimate site.

If that’s the case, it should be relatively easy for the iPhone offer site to track down which affiliate of theirs is the phisher and (hopefully!) cancel their account and make sure the phishers don’t get any financial benefit from the scheme.

It appears as though the phisher’s plan may have been to collect user IDs and passwords so that, in the final round of DMs, the DMs would appear as though they were coming from one of your friends telling you they got a free iPhone. That could increase the likelihood of you signing up with the site, since a friend getting a free iPhone kind of mitigates the notion that the offer was “too good to be true.” Thus, that would increase the conversion rate, potentially putting more money into the pockets of the phishers.

Of course, it is also possible that the iPhone offer site is run by the phishers. I don’t know for certain, but we shouldn’t jump to that conclusion just because the phishers forwarded to that site. As I mentioned, the phishers could have been affiliates and were using the whole scheme to try to earn money through an affiliate program. We just don’t know for sure.

The bad thing, of course, is that if this iPhone offer site is a legitimate site, they could be suffering as a result now, because people will avoid them, thinking they are phishers.

UPDATE XIV: Was It a Success?

If the iPhone offer site is not run by the phishers, and they were setup as affiliates, there’s the possibility that the phishers may not benefit at all, if the iPhone offer site cuts them off. (Assuming, of course, that the affiliate program doesn’t offer an instant affiliate payment of some kind.)

If the iPhone offer site is run by the phishers, there is a good chance that they made some money off the deal. While it is likely that many people will notice the fee being charged to their phone bill, and either cancel or dispute it, it remains likely that some people wouldn’t notice for quite a while.

Some people were of the opinion that trying something like this on a social networking site wasn’t a good idea, because of how quickly the warnings could be sent to people. But, even this morning, there are people seemingly unaware of the phishing scheme. Even yesterday, in the midst of all the heavy tweeting and retweeting of warnings, there were still people tweeting their friends asking why they sent them a bad link.

So, it is possible for a scheme like this to achieve some success on a social network. Let’s say that out of the thousands and thousands of people on Twitter, only 500 people ended up getting signed up for that $9.99/mo. service. (I’m just using the $9.99/mo. as the example; there were varying rates for various carriers.) That’s $4,995. Or, if it was an affiliate program (and the phishers didn’t get caught) with, for example, a 10% referral fee, that’s still $499. That’s not bad for two days work, especially in parts of the world where a dollar may go farther.

This illustrates several things about Twitter:

1) Not everyone is on 24/7. So, just because one round of warnings get sent out doesn’t mean that everyone will see them. Some people got annoyed with all the warnings, but, if only one warning is sent out, that can be quickly lost in the Twitter stream.

2) All your followers don’t read all your tweets. You’d tweet a warning, even see it get retweeted, and still there would be people tweeting, asking about what’s going on.

3) Some people stay on their Replies page, so they won’t see general tweets.

That’s all common sense stuff, but also the reason why, in such a situation, multiple warnings may need to be sent out. Otherwise, and even still, people are apt to miss them.

Better yet is if people are educated about these things. Some people put up blog pages listing all the people they received DMs from. I don’t think that such a “Wall of Shame” is really necessary. Most, if not all, of those people will have been victims of the phishing attack. Why make matters worse for them by publicly identifying them? Send them a DM or an eMail. If you can’t do either of those, then, as a last resort, use an @reply to try to let them know.

Rather than call out the senders, it is better to let people know what to watch out for, by identifying the type of message being sent as well as the URLs those messages will direct them too.

Since the senders, the messages and the URLs are all subject to change, the best bet is to simply inform people of what to be on the lookout for in general. Phishing is here to stay, and simply waiting a few days for things to “settle down” isn’t going to change that. You will continue to get phishing messages in your eMail and, now, in your Twitter stream or DMs too.

Don’t rely on other people to warn you about a phishing scam! Learn what to watch out for!

UPDATE XV: Twitter Hacked Too

Twitter was apparently hacked into as well. Some high profile accounts were compromised. The problem has apparently been remedied, but no further details have yet been posted. Here is Twitter’s blog entry on the hacking. (Thanks to @KrisColvin for the tip!)

They recommend changing your password as a precaution. Even if you didn’t fall victim to the phishing scam, if Twitter itself was hacked, your account could be at risk too. So, do change your password as a precaution. This, unlike some of the mass hysteria yesterday regarding changing your password, is good advice. I am changing mine.

UPDATE XVI: Details from Twitter

Twitter has posted details on the hacking incident, which was unrelated to the phishing.

Monday Morning Madness

UPDATE XVII: New Phishing DM

This appears to be a new phishing DM. The site kind of looks legitimate, but the URL is being sent out by different accounts. So, it’s looking like those accounts may have been compromised by phishing, so I wouldn’t provide any personal data to the listed website.

Here is the text and URL:

“Heyy!! this website got me completely out of debt!!”

If you get that in a DM, I’d just delete it.

28 comments on “Twitter Phishing
  1. Techwatch says:

    Also Safari and Flock are showing the sites as phishing sites when visited

    – Techwatch

  2. I sent someone a DM last night that had been phished. I was immediately redirected to another site. I closed the window right away. I never clicked on anything. I’m I ok since I never clicked on a thing? Oh wait, I did click on that persons (that was phished) blog URL in her profile on Twitter, but that’s it. I visited her blog.

  3. Hi Dan,

    Thank you for taking the time to research this situation and advise us.

    I, for one, appreciate it!



    • dcr says:

      No problem. I tweeted on it a bunch yesterday and with the phishing continuing today, I figured it was just easier to compile all the info here and point people here instead of spreading info across multiple tweets.

  4. Robin says:

    Look at the URL in the URL bar at the top of your browser. If it is not “” or “”

    The above does not guarantee. It is possible to make it look like you are on one site with a redirect and have you at another site.

    We use that for
    you think you are there but where you are really are is

    Good post though

  5. molej says:

    Good information. I have not received any of these yet. I am sure I will. Already mentioned Spybot is a good free spy-ware remover.

    With passwords and logins on any website, be sure you typed the URL or used a bookmark before you enter your information. If you are being asked for a login and password, never enter it if you reached that page through a link from somewhere.

  6. CeKay says:

    18 hours ago i wrote about that phishing scam in german. thank you for the additional informations, i linked to your entry!

  7. I was hit with a bunch of these today and my first time being twitter spammed. Google Chrome is very good at identifying phishing sites, but not perfect, bottom line, don’t trust anyone who sends you a link to a login site.

  8. kay55 says:

    okay i will watch out for those dms THANKS!!! MY TWITTER PASSWORD IS MY EMAIL TOO!

  9. I have no idea what you are talking about….

  10. teeni says:

    Thanks for all this good info. I didn’t know it was going around cuz I had been off twitter for a bit.

  11. All I know is for the next few days I am NOT checking any DMS nor am I logging in, or signing up for anything NEW. But, THANK YOU for this post. You helped clarify my initial confusion.

    *Consider this post being re-tweeted.*

    • dcr says:

      A few days won’t make a difference. Phishing schemes aren’t anything new. They’ve been around and will continue to be around. Just learn to recognize them and be careful out there.

  12. kay55 says:

    oops i might need a new email nopw

  13. Mario says:

    Thanks. I just found out about the ongoing phishing, (I even received a suspicious DM, you even mentioned the URL here; that “rosalierebyb.blogspot”) and i got the idea on how to go around it as I read this post.

  14. Atniz says:

    I received a lot of DMs but rarely click any that sounds promoting..

  15. David says:

    It is amazing that phishing is such an effective technique, because usually it is pretty easy to tell something is amiss. It would be cool if the big ISPs directed their new users to a site that explained how these kinds of attacks work, because if you are properly educated, they are easy to spot…

  16. Great post, thanks for compiling all the info and updates.

Leave a Reply

Your email address will not be published. Required fields are marked *