We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,078 News Articles

Twitter users tricked by new phishing attack

Scam steals usernames and passwords

Twitter is warning users of a new phishing scam on the social networking site.

It's the latest in a series of scams that have plagued the site over the past year, designed to trick victims into giving up their user names and passwords.

"We've seen a few phishing attempts today, if you've received a strange DM and it takes you to a Twitter login page, don't do it!," Twitter wrote on its Spam message page.

The message reads, 'hi. this you on here?' and includes a link to a fake website designed to look like a Twitter log-in page. After entering a user name and password, victims enter an empty blogspot page belonging to someone named NetMeg99.

Neither of these pages appears to include any type of attack code, but both should be considered untrustworthy, according to Sophos Technology Consultant Graham Cluley. "It seems like this was a straightforward phishing campaign, rather than an attempt - at this stage at least - to spread virally," he said via email.

Victims get these direct messages only from people they follow on Twitter, so they seem more believable than other types of spam. Once a user has been phished by the attack, the criminals are then able to direct message all of the victim's contacts with the phishing spam.

"These sort of things have been happening for over a year on Twitter," Cluley said.

Hacked Twitter accounts are a great launching pad for more attacks, Cluley said. "We don't know precisely what they're going to do in this case, but often they will send spam messages to advertise a particular site."

Because about a third of users have the same passwords for all of their online activity, criminals can also use the same log-in information to try to get into other web services such as Gmail or Yahoo, Cluley said.

"If you've fallen for one of these traps, don't just change your Twitter password; change your password on every website you use," Cluley siad. "Use non-dictionary words and use something that's hard to guess."

The Twitter attack comes as Facebook users are also under siege. Security researchers say that a spam botnet is has sent out hundreds of thousands of fake password reset messages. When victims try to open an attachment that supposedly contains their new password, they end up running a Trojan horse program, called Bredolab, that then installs unwanted software on their PCs.

See more:

PC security advice


IDG UK Sites

Swatch to release its own line of smartwatches to rival iWatch

IDG UK Sites

From the iPhone 6 to the iWatch and a new Apple TV we look at the products Apple is set to launch...

IDG UK Sites

Miranda July's Somebody app offers a very unusual take on messaging

IDG UK Sites

The 7 most ridiculous iPhone 6 rumours: what Apple WON'T reveal on 9 September