Twitter password phishing

1 minute read

Our friend in the UK got this via a contact. It was from a Twitterer who obviously had his Twitter login stolen:

TwitterPhish6

(Twitter apparently is filtering this URL at this point.)

The link led to a phishing page that used the deceptive tactic of showing an error message: “Wrong Username/Email and password combination.” You login, it steals your Twitter password, sends the above Tweet to all your contacts and continuing rounding up passwords.

TwitterPhish4

If you’re “ill-informed” enough to log in to the phishing page, it snatches what ever username and password you’ve entered and passes you along to the Twitter log-in page. We made up a username and password and it took them. The real Twitter log-in page would have given you an error notification.

There are two pieces of evidence here that you’ve been phished: Firefox asks if you want it to remember the password which you just gave to my3gb.com – obviously the phishing site (up since July 12). And there’s the Twitter “sign in” button on the page. That wouldn’t be there if you had really logged in.

TwitterPhish7

This is phishing. The safe practice in this situation is: don’t log into pages that you get as links in emails. Go to the site yourself: type in the URL or use your bookmark.

Credit to Tom Kelchner

Leave a comment