The chickens have come home to roost. The hundreds of accounts compromised this morning are now being used to post messages directing people toward a second phishing site located in China.
After this morning’s phishing attack on Twitter by the (almost) typosquatting tvviter, this evening is seeing waves of new attacks using the previously compromised accounts.
This time compromised accounts are posting messages that say simply “there is this funny blog going around” or “hey check thiss out” accompanied by an obfuscated link courtesy of URL shortening service ur.lc (UR.LCompressor).
The link once again leads to a phake Twitter front end designed to harvest credentials from the unwary. Not only that but the same server is also hosting a fully prepared MySpace phishing site too…
- Always check the URL in the address bar before entering your credentials for any online service.
- Never click links from friends if you don’t know where they lead
- It seems obfuscated URLs are becoming ever more a tool of cybercriminals, you should consider using longurl as a browser plug-in to let you see the true destination of shortened URLs before you click on them.
Maybe the folks at Twitter should consider stopping counting URLs as a part of the 140 character limit imposed on posts, and make obfuscated URLs such as this the exception rather than the rule?
UPDATE: Twitter seem to have deleted all the phishing posts in compromised accounts and reset the passwords. At 00:36 GMT today, the below notification mail was sent out to all affected account holders. As yet, no update on the Twitter blog though.
UPDATE: It seems the final end-game of these waves of attacks may have been to spam Twitter users with links to weight loss supplement free trial sites, with the spammers hoping to earn money through affiliate based marketing. The first wave of attacks was used to post messages luring people to the second twitter phishing site, so it was easy to identify who had been taken in by that first attack, but the victims of the second attack were not visible until this large scale spam outbreak.
Hours after the final wave of phishing attacks, hundreds of Twitter accounts were used to post links pointing users to a website marketing a “Free Trial” of an Acai Berry dietary supplement. The links pointed to a long list of nonsensical URLS in the .cn top-level domain (China).
This was closely followed by a second wave of spam pointing to the same destinations, but hiding the URLs using URL shortening services.
A bit of digging revealed that the destination web sites in the .cn domain were all connected to an affiliate marketing company called Incentaclick, which I imagine was probably paying out the domain owners every time someone filled out the form for the Acai Berry free trial. Let’s hope no-one did.
This graphic only represents a few of the destination domains hosting the Acai Berry site.