View Full Version : New Twitter Phish Employs Wrong User/Pass Trick

10-10-2010, 03:13 PM
Security researchers warn of a new phishing attack on Twitter, which tricks users into exposing their credentials by displaying a fake error message about a wrong username and password combination.

The attack starts with a direct message sent from compromised accounts, which reads "You have to be the first to see these new pictures!! <link>"

Clicking on the link opens a phishing page hosted on an external domain, which looks exactly like the real Twitter log-in page after someone inputted wrong credentials.

An error message at the top reads "Wrong Username/Email and password combination" and was added to trick users into believing that some sort of automatic authentication was attempted in order to access the photos, but failed.

Misguided users, who input their log-in information into this page will submit it to the attackers and will get redirected to the Twitter home page.

"There are two pieces of evidence here that you’ve been phished: Firefox asks if you want it to remember the password which you just gave to my3gb.com – obviously the phishing site (up since July 12).

"And there’s the Twitter "sign in" button on the page. That wouldn’t be there if you had really logged in," Tom Kelchner, a security researcher with Sunbelt Software, writes.

This scheme is almost worm-like, with every new phished account being used to send more DM spam and direct new people into the trap.

Of course, people should always make sure that they are on the page they are supposed to be on, before inputting their username and password.

It's better to log in via the SSL-protected version of Twitter, which will also protect your credentials from man-in-the-middle attacks on unprotected wireless networks. This can be achieved by manually typing https://twitter.com (note the https) in the browser's address bar.

This advice is not only valid for Twitter, but for any service supporting the feature. Firefox users can install an extension called HTTPS Everywhere and which forces https on a number of popular websites.

New Twitter Phish Employs Wrong User/Pass Trick - Softpedia (http://news.softpedia.com/news/New-Twitter-Phish-Employs-Wrong-User-Pass-Trick-160193.shtml)