A phishing campaign targeting Twitter has morphed, according to researchers at Sophos. Phishers are now using accounts compromised in the initial campaign launched over the weekend to snare Twitter users lured by the promise of an iPhone.
Phishers are hooking more and more Twitter users in campaigns to steal their
account data, according to security researchers.
reported over the weekend has expanded, with spammers now
using compromised accounts to initiate
a new campaign
that capitalizes on the popularity of the Apple iPhone.
According to Sophos, the latest barrage of phishing e-mails contains
messages like this: "hey. i won an iphone! come see how here."
Others read: "Wanna win the new iPhone? It's so easy and cool, I love
this thing! Visit: [url removed]."
Graham Cluley, senior technology consultant at Sophos, speculated in a blog
post that spammers are earning a commission via affiliate links by directing
traffic to these Web sites.
"A compromised Twitter account can be abused just like a compromised botnet
PC," Cluley said in an interview with eWEEK. "It can be exploited by hackers to
launch further spam campaigns, or to spread malware or to attempt identity
A warning about the initial campaign was posted Saturday on the Twitter
blog. That attack worked by sending out e-mails that resembled notifications
from Twitter about Direct Messages. According to Twitter, a typical e-mail in
this attack reads: "hey! check out this funny blog about you ..." and
provides a link to a phony Twitter log-in page.
While the damage of losing Twitter credentials may seem minimal at first
glance, as the recent campaign shows, the potential exists for the information
to be used for social engineering purposes in a broad range of cyber-scams. In
addition, Cluley pointed out that many people use the same password for every
Web site they access.
"That means that if hackers now have your Twitter details, they can also
perhaps log in to your Gmail, eBay, PayPal, Amazon, Hotmail and other online
accounts and create a greater impact on your identity and wallet," he said.
Twitter advises users to immediately reset their passwords if they have been
victimized by the scheme.