eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Phishers targeting Twitter have had a long week.
In the past several days, a series of the scams have hit the microblogging service, snaring among others British energy minister Ed Miliband and House of Commons leader Harriet Harman, whose account was used to send a bogus message to fellow U.K. politician Alan Duncan.
In Miliband’s case at least, his account was used to blast out a message to his followers that looked like this: “hhey, i’ve been having better sex and longer with this here.” The message was followed by a link to a phishing site resembling Twitter’s log-in page.
This is not the only phishing attack to hit Twitter in the past week or so. Sophos observed another that sought to lure users into with this message:
“Lol. this is me?? lol , this is funny. Lol. this you??”
A separate attack simply stated: “This you????” In both cases, yet again, the messages preceeded a link to a mock Twitter log-in page.
While compromising Twitter accounts to send out sexual messages is bad enough, there can be even more at stake when an attacker gets his or her hands on user credentials for sites like Twitter. For one thing, security pros have increasingly uncovered evidence of social networking sites like Facebook and Twitter being used as part of broader attacks, to the point where a compromised Twitter account can go for as much as $1,000 in the cyber-underworld.
In addition, many people tend to use the same password to log in to multiple sites, which means once an attacker has one set of credentials, he or she can potentially use that to get access to a host of other sites, noted Graham Cluley, senior technology consultant at Sophos, in a blog post.
“If Miliband makes that kind of mistake, then he has potentially opened up his e-mail account, his eBay account, his PayPal and Amazon account… basically, his entire online life could be handed over to hackers,” Cluley blogged. “So, learn the lesson for yourself: choose a strong and different password for every Website.”
And be skeptical of the links you receive, especially if they are accompanied by out-of-character Tweets with the word hey misspelled.