We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,225 News Articles

Twitter users tricked by new phishing attack

Scam steals usernames and passwords

Twitter is warning users of a new phishing scam on the social networking site.

It's the latest in a series of scams that have plagued the site over the past year, designed to trick victims into giving up their user names and passwords.

"We've seen a few phishing attempts today, if you've received a strange DM and it takes you to a Twitter login page, don't do it!," Twitter wrote on its Spam message page.

The message reads, 'hi. this you on here?' and includes a link to a fake website designed to look like a Twitter log-in page. After entering a user name and password, victims enter an empty blogspot page belonging to someone named NetMeg99.

Neither of these pages appears to include any type of attack code, but both should be considered untrustworthy, according to Sophos Technology Consultant Graham Cluley. "It seems like this was a straightforward phishing campaign, rather than an attempt - at this stage at least - to spread virally," he said via email.

Victims get these direct messages only from people they follow on Twitter, so they seem more believable than other types of spam. Once a user has been phished by the attack, the criminals are then able to direct message all of the victim's contacts with the phishing spam.

"These sort of things have been happening for over a year on Twitter," Cluley said.

Hacked Twitter accounts are a great launching pad for more attacks, Cluley said. "We don't know precisely what they're going to do in this case, but often they will send spam messages to advertise a particular site."

Because about a third of users have the same passwords for all of their online activity, criminals can also use the same log-in information to try to get into other web services such as Gmail or Yahoo, Cluley said.

"If you've fallen for one of these traps, don't just change your Twitter password; change your password on every website you use," Cluley siad. "Use non-dictionary words and use something that's hard to guess."

The Twitter attack comes as Facebook users are also under siege. Security researchers say that a spam botnet is has sent out hundreds of thousands of fake password reset messages. When victims try to open an attachment that supposedly contains their new password, they end up running a Trojan horse program, called Bredolab, that then installs unwanted software on their PCs.

See more:

PC security advice


IDG UK Sites

8 cheapest 4G smartphones in the UK 2014: Best budget 4G phones

IDG UK Sites

Apple MacBook Air lab tests and benchmarks: 11-inch & 13-inch, 256GB, 2014 Mac laptops tested

IDG UK Sites

How to prank people using Google Glass

IDG UK Sites

Brian Cox to step into will.i.am's shoes with IBC keynote