There has been a phishing scheme running around on Twitter this weekend. But, so far, it’s a relatively easy one to avoid becoming a victim of. Here are some tips on the phishing mess.
First, it is okay to check your DMs on Twitter. You don’t need to be afraid to check them. But, be careful about any links in messages from others, even if you know them. You won’t be affected by the scam just by reading your DMs.
If you click a link, DON’T PANIC! So far, there have been no reports of spyware, malware or viruses getting installed as a result of visiting the phishing site. If you’re concerned, you can run your anti-virus or anti-spyware/malware software to check your system out.
But, after clicking the link, it may appear as though you’ve been booted off Twitter and are being asked to login. DO NOT LOGIN! Look at the URL in the URL bar at the top of your browser. If it is not “http://www.twitter.com” or “http://twitter.com”, it is likely a phishing site. (See UPDATE VI below.) You do not want to give them your password. Just manually type in Twitter’s URL in your URL bar to return to Twitter.
As a precaution, you may also want to go into your browser and delete any cookies the phishing site may have sent.
If you’re not sure if you’ve logged into a phishing site (perhaps earlier, before you had heard about it), you might want to take the extra precaution of changing your Twitter password.
If you’re still really feeling uneasy, you can also run your anti-viral or anti-spyware software just to confirm you didn’t get hit with anything.
Please also be aware that the person (or persons) that sent you the phishing URLs may not be the actual scammer. Most likely, they were a victim and the phisher got their password and is now using their account to send more of the phishing DMs.
If you receive a phishing DM from someone, it’s probably a good idea to DM them back (or send an @reply if you can’t send them a DM) to let them know their account has been compromised and that they should change their password. This is the DM I send people:
Were you a phishing scam victim? http://bit.ly/HREm Might be a good idea to change your Twitter password!
The URL takes them to a site that tells them about the phishing scheme.
The URLs that have been used for the phishing sites have been blogspot.com URLs. They were set up to redirect to another site, which puts up a screen that looks like Twitter’s login page. The plan is that people will think they were knocked out of Twitter and log back in. When they do, they are taken back to the real Twitter site, so the victim may be totally unaware that they just gave their password to the phisher.
It’s important to note that not all blogspot.com URLs are phishing sites. I’ve seen people warning others not to open any blogspot.com URLs. But, there are plenty of legitimate blogs that have blogspot.com URLs. So, you don’t need to be concerned about blogspot.com URLs in general, just specific ones. And, even if you end up at the phishing site, as mentioned above, you should be okay so long as you don’t login on the fake Twitter site.
For people using OpenDNS or Firefox 3, it appears that both of those are now blocking the phishing site. But, still be careful out there.
The short of it is that you should be careful, but don’t become irrational over the phishing attack.
Here are the known URLs of the phishing attack:
If a tweet or DM asks you to visit one of those sites, don’t.
Also, here are the known text of the phishing messages:
“hey! check out this funny blog about you…
“Hey, i found a website with your pic on it… LOL check it out here http://twitterblog.access-logins.com/login”
“hey look at this funny blog http://rosalierebyb.blogspot.com/”
I have not made the URLs clickable, but I am showing the messages and URLs in their entirety so you know what to look out for. Also, I am not identifying the senders, as the senders are likely victims and not the actual scammers.
UPDATE II: How to Report Phishing Sites
UPDATE III: Info from Twitter
Found this post (by way of multiple people tweeting it) on How to Protect Your Twitter Account from Scammers. Good info with pictures.
UPDATE V: New DM Text
A new phishing DM is going out. This is how it reads:
“fixed it.. hehe here is that blog i wanted to show you http://twitterblogs.access-logins.com/login”
UPDATE VI: URL Masking
As Robin indicated in the comments, it is possible for a site to mask the URL so that the URL in your URL bar will appear to be the correct URL. Fortunately, that has not happened in this current phishing attack, but it is something to be aware of, especially seeing how the phishers have been continuing to morph their scheme. The best defense is to manually enter the URL of the site you want to visit.
UPDATE VII: New DM Text
Another new phishing DM is going out. This is how it reads:
“heyy!!! i want u to see my blog!! http://blogtwitter.access-logins/login”
UPDATE VIII: Twitter Phishing Scheme is Not a Virus
Judging by a lot of the tweets out there, some people are confusing the Twitter phishing scheme with a virus. As of this writing, I have not heard of anyone getting a computer virus from the phishing site. Just because people you know might be sending you DMs with the phishing site URLs does not mean that they have been infected by a virus. Let me explain how this appears to work.
Yesterday, some phishing messages went out. I don’t know who the originator was. Anyway, these phishing messages directed people to another site. As far as I know, the first site was the jannawalitax.blogspot.com URL. If you went to that site, it redirected you to a page that looked like the Twitter login page. This tricked some people into thinking that they had been booted out of Twitter, so they logged back in.
When they did that, the phisher had their user ID and password, so they could access the user’s account.
Apparently, they turned around and used those accounts to send more DMs directing more people to fake Twitter login pages, from which they no doubt collected more user IDs and passwords.
They may not have even used all the user IDs and passwords they’ve collected yet, so this has the potential to continue for days.
That’s why it’s a good idea to change your Twitter password if you logged into a fake Twitter page. If you’re not sure, you might also want to change your Twitter password. Just because none of your followers haven’t received phishing DMs from you doesn’t mean that the phishers aren’t waiting until some future time to use your account to send them.
Of course, if you didn’t log into the fake Twitter page, at this point there is no reason for you to be alarmed.
Because the phishers are using the victim’s account details (user ID and password) to send these DMs doesn’t make this a virus. There is no evidence thus far of any virus being spread as a result. This is nothing more than the phishers using people’s passwords to gain access to their accounts and send DMs from them. Ergo, not a virus!
UPDATE IX: New DM Text
Yet another new phishing DM is going out. This is how it reads:
“Check out this blog type website. you need to see it.. http://bloggertwit.access-logins.com/login”
UPDATE X: Receiving Phishing DMs Not a Problem on Your End
If you receive a phishing DM, that does not mean that your account has been compromised. It means that the phisher got the password of the person sending it. Changing your password isn’t going to stop the DMs coming to you. Just delete the DM and move on. As suggested above, you might want to send a message to the person whose account sent the DM to let them know they’ve been affected and should change their password.
UPDATE XI: If Affected, Change Passwords on Accounts Using the Same Password
A good point from @CXI. If you were a victim of the phishing scam and have other accounts which use the same password, especially if they have the same user ID or a publicly known user ID, it’s a good idea to change that password on those other accounts as well so that the phishers can’t access them too.
UPDATE XII: This May Be What It was All About!
I’m seeing these new variants coming from affected accounts. Some I know to be affected because previous DMs sent the phishing messages. Others I am assumed to be affected.
“Wanna win the new iPhone? It’s so easy and cool, I love this thing! Visit: http://iphonewinner.info”
“Hey! I just got a FREE iphone from this website.. here http://helloiphones.com”
If you go to the site, you will be presented with a seemingly harmless series of questions. First, it asks for your gender. Next, it asks for your cell phone carrier to see if you are “eligible.” After that, it asks for your phone number.
In fine print, there is mention of a $9.99/mo. service. I am guessing that, by entering your phone number, you will be signing up for that service.
My guess is that’s what this whole thing may have been about. Twitter is heavily used by mobile users, so what better way than to try to trick them into signing up for a service than by luring them in with a “free” iPhone?
I would not enter your phone number into that site. I wouldn’t bother with it at all! Just delete the DMs and stay away!
UPDATE XIII: Free iPhone Offer Site May Not Be the Phisher
As mentioned in the previous update, the last known round of the phishing URLs were links to sites like iphonewinner.info and helloiphones.com. If you visit those sites, you get redirected to a site with the iPhone offer.
Something I didn’t notice until later is that, somewhere along the line, cookies are set in your browser. These appear to be affiliate cookies of some sort.
So, it’s possible that the phisher is an affiliate of the iPhone offer site, and that the site itself is not to blame. It may be a legitimate site.
If that’s the case, it should be relatively easy for the iPhone offer site to track down which affiliate of theirs is the phisher and (hopefully!) cancel their account and make sure the phishers don’t get any financial benefit from the scheme.
It appears as though the phisher’s plan may have been to collect user IDs and passwords so that, in the final round of DMs, the DMs would appear as though they were coming from one of your friends telling you they got a free iPhone. That could increase the likelihood of you signing up with the site, since a friend getting a free iPhone kind of mitigates the notion that the offer was “too good to be true.” Thus, that would increase the conversion rate, potentially putting more money into the pockets of the phishers.
Of course, it is also possible that the iPhone offer site is run by the phishers. I don’t know for certain, but we shouldn’t jump to that conclusion just because the phishers forwarded to that site. As I mentioned, the phishers could have been affiliates and were using the whole scheme to try to earn money through an affiliate program. We just don’t know for sure.
The bad thing, of course, is that if this iPhone offer site is a legitimate site, they could be suffering as a result now, because people will avoid them, thinking they are phishers.
UPDATE XIV: Was It a Success?
If the iPhone offer site is not run by the phishers, and they were setup as affiliates, there’s the possibility that the phishers may not benefit at all, if the iPhone offer site cuts them off. (Assuming, of course, that the affiliate program doesn’t offer an instant affiliate payment of some kind.)
If the iPhone offer site is run by the phishers, there is a good chance that they made some money off the deal. While it is likely that many people will notice the fee being charged to their phone bill, and either cancel or dispute it, it remains likely that some people wouldn’t notice for quite a while.
Some people were of the opinion that trying something like this on a social networking site wasn’t a good idea, because of how quickly the warnings could be sent to people. But, even this morning, there are people seemingly unaware of the phishing scheme. Even yesterday, in the midst of all the heavy tweeting and retweeting of warnings, there were still people tweeting their friends asking why they sent them a bad link.
So, it is possible for a scheme like this to achieve some success on a social network. Let’s say that out of the thousands and thousands of people on Twitter, only 500 people ended up getting signed up for that $9.99/mo. service. (I’m just using the $9.99/mo. as the example; there were varying rates for various carriers.) That’s $4,995. Or, if it was an affiliate program (and the phishers didn’t get caught) with, for example, a 10% referral fee, that’s still $499. That’s not bad for two days work, especially in parts of the world where a dollar may go farther.
This illustrates several things about Twitter:
1) Not everyone is on 24/7. So, just because one round of warnings get sent out doesn’t mean that everyone will see them. Some people got annoyed with all the warnings, but, if only one warning is sent out, that can be quickly lost in the Twitter stream.
2) All your followers don’t read all your tweets. You’d tweet a warning, even see it get retweeted, and still there would be people tweeting, asking about what’s going on.
3) Some people stay on their Replies page, so they won’t see general tweets.
That’s all common sense stuff, but also the reason why, in such a situation, multiple warnings may need to be sent out. Otherwise, and even still, people are apt to miss them.
Better yet is if people are educated about these things. Some people put up blog pages listing all the people they received DMs from. I don’t think that such a “Wall of Shame” is really necessary. Most, if not all, of those people will have been victims of the phishing attack. Why make matters worse for them by publicly identifying them? Send them a DM or an eMail. If you can’t do either of those, then, as a last resort, use an @reply to try to let them know.
Rather than call out the senders, it is better to let people know what to watch out for, by identifying the type of message being sent as well as the URLs those messages will direct them too.
Since the senders, the messages and the URLs are all subject to change, the best bet is to simply inform people of what to be on the lookout for in general. Phishing is here to stay, and simply waiting a few days for things to “settle down” isn’t going to change that. You will continue to get phishing messages in your eMail and, now, in your Twitter stream or DMs too.
Don’t rely on other people to warn you about a phishing scam! Learn what to watch out for!
UPDATE XV: Twitter Hacked Too
Twitter was apparently hacked into as well. Some high profile accounts were compromised. The problem has apparently been remedied, but no further details have yet been posted. Here is Twitter’s blog entry on the hacking. (Thanks to @KrisColvin for the tip!)
They recommend changing your password as a precaution. Even if you didn’t fall victim to the phishing scam, if Twitter itself was hacked, your account could be at risk too. So, do change your password as a precaution. This, unlike some of the mass hysteria yesterday regarding changing your password, is good advice. I am changing mine.
UPDATE XVI: Details from Twitter
Twitter has posted details on the hacking incident, which was unrelated to the phishing.
UPDATE XVII: New Phishing DM
This appears to be a new phishing DM. The site kind of looks legitimate, but the URL is being sent out by different accounts. So, it’s looking like those accounts may have been compromised by phishing, so I wouldn’t provide any personal data to the listed website.
Here is the text and URL:
“Heyy!! this website got me completely out of debt!! http://freedebt4u.com”
If you get that in a DM, I’d just delete it.