Beware of Twitter Phishing Scam

The world was shaken apart this New Years weekend when a substantial number of Twitter users received a Direct Message (DM) directing them to a phishing site hosted on Google’s Blogspot. The phishing scam was seemingly designed to steal the Twitter credentials (ie. username and password) of unsuspecting visitors. A lot of chatter about the phishing scam continues on Twitter even though the fire has been mostly extinguished. Naturally, Mashable, Inquisitr and many others have picked up the story.

If you have received, or do receive a DM directing you to a malicious web site using an access-logins.com domain, I encourage you to not enter your Twitter credentials at the site, should you opt to visit. If you use Firefox, the site has already been added to their phishing database and should be automagically blocked by default.

Even though the site is a phishing site, and designed to trick you in to entering your Twitter credentials, it is entirely safe to visit the site without ever entering a username and password. Even though the design is identical to twitter.com, the site is completely innocuous until you hand over your Twitter login information. Simply put: do not hand over your Twitter password.

As mentioned in our coverage of Twply, you should never hand over your credentials to an unknown, untrusted third-party.

The Twitter team was made well aware of the scam early on and has posted a message on the Twitter Status blog, informing users of the attempt to phish their Twitter credentials. Additionally, a message on Twitter, directly above the timeline,

If you receive an email notice saying you’ve received a Direct Message with a link that redirects to what seems like Twitter.com, be careful about entering your Twitter credentials. Instead, look closely at the URL to see if it’s not really Twitter but a sketchy phishing site like http://twitter.access-logins.com. If this has you feeling a bit weirded out, feel free to change your Twitter password.

I am not entirely convinced this scam was designed to exploit Twitter’s missing authentication scheme. This was a classic case of phishing for user credentials, which may ultimately be exploited elsewhere. Had this scam been designed to elevate the visibility of the missing API component, there would have been no need to direct users to a site using the twitter.com design. There are better ways of doing that, such as the method Twply opted to use.

What this phishing scam has identified is that Twitter usage has been elevated to critical mass. Even though Twitter was primarily used by the savvy early adopter crowd, many average, every day, unsuspecting users now partake in the service daily. The phishers obviously believed phishing Twitter users to be a good opportunity. Who can argue with that?

I will continue to say this until I am blue in the face, but it is imperative to not use the same password on multiple sites. When you use the same password across sites, you open up your online identity to being stolen quite easily. Maybe that is the real lesson for Twitter users: immediately change your Twitter password so it is no longer “in sync” with other sites?

  • http://techmiso.com/196/hacked-twitter-accounts-highlight-need-to-be-security-conscious/ TechMiso :: Hacked Twitter Accounts Highlight Need To Be Security Conscious

    [...] these highly publicized incidents, such as the recent Twply issue followed by the widespread phishing scam aimed at Twitter users, one has to wonder what, if anything, Ev and Co. are going to do to improve Twitter’s [...]

  • a–s–2590

    Great article, but what I don't understand is why people would phish on something like Twitter. It's not like there's money involved. Could it just be for spamming?