Thousands of users have been compromised by a phishing scam on Tumblr that created fake login pages to harvest password information.
An ongoing phishing attack continues to steal login
credentials of several thousand users on the social-blogging platform Tumblr.
The phishing attack harvests user login credentials for
Tumblr accounts from a fake login page, Christopher Boyd and Jovi Umawing,
security researchers at GFI Labs, wrote in their analysis of the Tumblr
June 28. Once user credentials are stolen, the scammers hijack the
user's Tumblr page to spread the scam further.
The attack relies on Tumblr accounts that have already been
compromised. The hijacked Tumblr pages look like the actual login page, with a
message, "This page contains adult content. Please revalidate your
credentials." Scammers have collected thousands of login credentials using
these zombie login pages, Boyd and Umwaing said.
"It seems the lure of sexual content will work as many
times as Lucy can pull the football out each time Charlie Brown tries to kick
it," wrote Randy Abrams, director of technical education, on the ESET
Once a user has been compromised, the scammers hijack the
user's Tumblr site and turns it into the fake login page. The account then
"follows" other users. When users see a new follower and click on the
name to see more information, they are shown the fake login page, restarting
the attack cycle all over again.
"Somebody started following me so I went to check out
their blog and just saw this [login screen]. Hurray, a new wave of virus going
around tumblr," wrote a user warning others
There are also other phishing sites designed to look like
official Tumblr pages that direct users to malicious domains that have the fake
login screen in place.
The attack is "cunning" Abrams said, as it used
URLs that look like they could be legitimate Tumblr addresses when they really
aren't. The three domains, tumblrlogin, tumblriq and tumblrsecurity, have been
registered within the last two weeks and are being run from free hosting
services, according to researchers. While they are no longer resolving, that
doesn't mean there aren't other sites still tricking users, Boyd and Umwaing
Firefox is already blocking the sites as dangerous. Tumblr
is warning users to not enter passwords on any site other than the main login
page and to change passwords immediately if phished. Tumblr is also restoring
sites for those users who have been compromised and are still tracking down the
source of the scam.
"Phishing is a game of numbers," wrote Stefan
Tanase, a senior security researcher at Kaspersky Lab, wrote on the Securelist
. Even though many users are aware of phishing, enough still fall for the
scam that cyber-criminals can still easily compromise thousands of accounts,
Boyd and Umawing claimed to have seen some of the data
containing the stolen information. With "8,200 lines of text stretched
across 304 pages of Microsoft Word," the stolen data is "quite the
goldmine of pilfered login credentials," the researchers wrote.
Login information for a site like Tumblr might not seem like
much, but a recent analysis on leaked password data and several high profile
data breaches have shown that users continue to have a high rate of password usage
Websites and services. Compromising one service often means attackers have
enough information required to break into other services, including e-mail and