Twitter users started getting hit with direct messages early Saturday afternoon by a phishing scam aimed at grabbing Twitter login and passwords. I tried to track down the original warning but all I found was this from Chris Pirillo. Could be he was the first to let the Twitterverse know and if so, thank you Chris.
The message is still being found on some accounts and it’s unclear if Twitter has been able to find the cause.
How Did It Work?
It looks as though this particular scam sent out emails resembling those you might receive from Twitter if you get email notifications of your Direct Messages. The email said, “hey! check out this funny blog about you…” and then provided a link. That link redirected to a site masquerading as the Twitter front page.
If you didn’t look at the URL of this false Twitter page, then you might not have noticed that it was actually just a page on the domain access-logins.com which was also faking Facebook’s front page. We immediately reported the offending domain (and warned our friends at Facebook). The site is now on OpenDNS’ and Google’s reported phishing lists. – Twitter Blog
Twitter Becomes the Target
I figured it was only a matter of time. I made several comments over the past few months about the need for a more secure Twitter. I love the open API but that also makes room for less than honorable people to exploit Twitter users. Since this is only a phishing scam, it requires people to go to a false website and enter their Twitter user account information then it steals them. That is kind of Web 1.0 style. Phishing attacks have been around forever. I remember the good old AOL days where these kind of attacks we a daily occurrence.
What I am dreading but also know is just around the corner now is a full fledged Twitter attack. Many of us use twools (Twitter Tools) like Twollo, Bitly, and MrTweet. All of these and other Twitter Twools require you to enter your username and password over an unsecured connection. All it takes is one geek to build a simple app that will be enough to get thousands of people to enter their user information and let the mayhem begin.
I think this will come in 2009 and that will be a dark day in Twitter Land.