Twitter twormented by phishers

A phisher or phishers operating over the holiday weekend deluged Twitter users with direct messages luring the unwary to a page designed to steal their sign-in information.

Twitter's official status blog announced the problem Saturday afternoon, but regular users were reporting a welter of suspicious messages throughout the weekend.

The phishers appear to have gained access to one or more accounts with known or guessable passwords. They used those accounts to send direct messages to other users; those DMs included a URL that looked vaguely like one for Twitter, and requests the user's login information. The URL,, was registered on December 16 to a Zhang Xiaohu in the Hunan province of China, via Xin Net Technology Corp. of Beijing.


Whoever's doing this, they're mighty busy. "Problogger," a.k.a. Darren Rowse, has around 8,847 people he follows on the service and 26,186 followers. He tweeted early Monday morning that he'd counted 50-60 phishing DMs so far in the attack. (Only those Tweetfolk you follow can DM you.) He, like many, many others affected by the attack, put out an urgent call for all Twitter users to change their passwords ASAP.

Rowse also noted that the scam changed over the weekend. Originally the shifty URL directed users to a Twitter-like page that requested Twitter usernames and passwords, apparently using that information to DM each user's followers. At some point during the weekend -- around the time Twitter took action to block the URL -- the redirect page became an iPhone lookalike. And at press time -- we type these things into our browsers so you don't have you -- displays what looks like a normal sign-in page for Facebook.

Update banner (stretched)

1:08 pm PST January 5, 2009 - When it rains it pours: A second wave of trouble splashes on deck at Twitter as 33 "celebrity" and news-oriented Tweetstreams, including official accounts used by Britney Spears, Barack Obama, Bill O'Reilly, Fox News, the Huffington Post, and CNN correspondent Rick Sanchez, were compromised late Sunday night.

The breaches seemed mainly to consist of juvenile graffiti (claiming that the writer was on crack, gay, or the like), and appears to be unrelated to the problem reported earlier.

Sanchez, at least, seems to be mainly baffled by the problem. His tweetstream details the situation as it unfolded: After being warned of the problem by a follower late yesterday, he turned the issue over to his tech staff ("appears so, tech guys here at cnn working on it now. i'm still trying to get briefed. will advise. more at 3 est"), described the in-house response ("hack/phish hapnd while i took 1/2 hour to re-hab knee down in gym. when i got back, told by staff. cnn security, pr, etc, suits all on it."), and eventually confirmed that Twitter honchos were on the case ("biz stone seems to have handle on it thru twitter. he's in contact with my staff.").

Biz Stone blogged an update on the second hack late Monday morning, describing it as distinctly different from the earlier phishing attempt. (He also noted that it has nothing to do with the upcoming OAuth authentication protocol the service is prepping.) According to Stone, the compromised security tools have been taken offline indefinitely.

7 Responses to Twitter twormented by phishers

© 1998-2022 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.