Phishing in the Twitter pond

According to security experts Sophos, Twitter users are now being hit by significant degrees of spam and phishing attacks. Over the course of the weekend (3rd & 4th of January 2009) thousands of users have reported having received bogus messages. The messages appear to come from friends, with an invitation to click on a link to a website and pretend to lead to funny pictures or blogs about the recipient. For those familiar with the argot these messages are relatively easy to spot. They commonly take the form of:

"Hey, i found a website with your pic on it... LOL check it out here"
"hey! check out this funny blog about you..."

Clicking through leads to a false page that steals login names and passwords. As Graham Cluley, senior technology consultant at Sophos says "It would be bad enough to hand your Twitter username and password over to a criminal, as they could pose as you online and spread malware and spam to your friends and followers. However, as an alarming 41 per cent of internet users foolishly use the same user name and password for every website they access, the potential for abuse is even greater,". It seems likely that it's this habit of using the same login information that makes Twitter phishing so attractive.

Stephen Fry's response to being phished Celebrity Steven Fry seems to have fallen for one of these lures although it is not believed that his account has been compromised.

Sophos note that having gleaned some initial information the cyber criminals are then using the compromised Twitter identities for a second wave of spam that promises an Apple iPhone, for example:

"hey. I won an iphone! come see how here"
"Wanna win the new iPhone? It's so easy and cool, I love this thing!"

Links in these messages lead to another site which attempts to glean more information from the user.

(trk)