Phishers are hooking more and more Twitter users in campaigns to steal their account data, according to security researchers.
The initial phishing attack reported over the weekend has expanded, with spammers now using compromised accounts to initiate a new campaign that capitalizes on the popularity of the Apple iPhone.
According to Sophos, the latest barrage of phishing e-mails contains messages like this: “hey. i won an iphone! come see how here.” Others read: “Wanna win the new iPhone? It’s so easy and cool, I love this thing! Visit: [url removed].”
Graham Cluley, senior technology consultant at Sophos, speculated in a blog post that spammers are earning a commission via affiliate links by directing traffic to these Web sites.
“A compromised Twitter account can be abused just like a compromised botnet PC,” Cluley said in an interview with eWEEK. “It can be exploited by hackers to launch further spam campaigns, or to spread malware or to attempt identity theft.”
A warning about the initial campaign was posted Saturday on the Twitter blog. That attack worked by sending out e-mails that resembled notifications from Twitter about Direct Messages. According to Twitter, a typical e-mail in this attack reads: “hey! check out this funny blog about you …” and provides a link to a phony Twitter log-in page.
While the damage of losing Twitter credentials may seem minimal at first glance, as the recent campaign shows, the potential exists for the information to be used for social engineering purposes in a broad range of cyber-scams. In addition, Cluley pointed out that many people use the same password for every Web site they access.
“That means that if hackers now have your Twitter details, they can also perhaps log in to your Gmail, eBay, PayPal, Amazon, Hotmail and other online accounts and create a greater impact on your identity and wallet,” he said.
Twitter advises users to immediately reset their passwords if they have been victimized by the scheme.