IT security and data protection firm Sophos is warning that a
major attack against Twitter users this weekend was designed to
steal passwords and use hijacked accounts to spread money-making
spam campaigns.
The attack, which is ongoing, began on Saturday, as Twitter
users found that fellow members of the micro-blogging network had
posted messages disguised as humorous inks, but actually aimed to
phish passwords credentials from unsuspecting users.
Messages, which began with phrases such as "Lol. this is me??",
"lol , this is funny.","Lol. this you??" and "ha ha, u look funny
on here", were accompanied with clickable links which redirected
users to a fake Twitter login page hosted on a website based in
China called BZPharma.net.
"This phishing attack has been causing headaches for Twitter
users all weekend, resulting in thousands of users being put at
risk of having their account broken into," said Graham
Cluley, senior technology consultant at Sophos. "The
cybercriminals behind the attack are creating a zombie network, or
botnet, of hacked accounts that they can then abuse to spread spam,
distribute malware and steal identities. There's nothing funny
about the BZPharma LOL attack - you have to be on your guard
against clicking on the dangerous messages. if you've fallen foul
of it, or find direct messages in your Sent box that you didn't
send, you must change your Twitter password immediately."
Sophos researchers discovered that although the main wave of
poisoned messages has been via private direct messages between
individual users on Twitter, dangerous links are also being posted
in public feeds. This means that innocent users can stumble across
the links even if they are not sent it directly, or even if they
are not a signed-up user of Twitter.
"It appears what is happening is that the messages are being
shared more widely because of third-party services like GroupTweet
which extend the standard Twitter direct message (DM) functionality
and allow private messages to be sent to multiple users and
optionally made public," continued Cluley. "This has resulted in
the bizarre site of Twitter accounts warning their followers about
the phishing attack, only to subsequently fall victim to it
themselves."
Sophos has identified that the phishing campaign appears to be
already bearing fruit for the hackers as they are now
distributing spam selling sex enhancement products from the
compromised accounts.
"Unless the hacked Twitter users change their passwords, the
intruders can continue to spread spam and other attacks from their
hijacked accounts," explained Cluley. "Cyber-attacks via social
networks are becoming more and more common. Last month Sophos
published its Security Threat
Report which revealed that there has been an astonishing
70% rise in the number of users reporting spam and malware
attacks via social networking sites."
More details about the attack can be found on Graham Cluley's
blog.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.