"LOL" Phishing Attack Targets Twitter Users

March 1, 2010

A major attack against Twitter users this weekend was designed to steal passwords and use hijacked accounts to spread money-making spam campaigns.

The attack, which is ongoing, began on Saturday, as Twitter users found that fellow members of the micro-blogging network had posted messages disguised as humorous inks, but actually aimed to phish passwords credentials from unsuspecting users.

Messages, which began with phrases such as "Lol. this is me??", "lol , this is funny.","Lol. this you??" and "ha ha, u look funny on here", were accompanied with clickable links which redirected users to a fake Twitter login page hosted on a website based in China called BZPharma.net.

"This phishing attack has been causing headaches for Twitter users all weekend, resulting in thousands of users being put at risk of having their account broken into," said Graham Cluley, senior technology consultant at Sophos. "The cybercriminals behind the attack are creating a zombie network, or botnet, of hacked accounts that they can then abuse to spread spam, distribute malware and steal identities. There's nothing funny about the BZPharma LOL attack - you have to be on your guard against clicking on the dangerous messages. if you've fallen foul of it, or find direct messages in your Sent box that you didn't send, you must change your Twitter password immediately."

Sophos researchers discovered that although the main wave of poisoned messages has been via private direct messages between individual users on Twitter, dangerous links are also being posted in public feeds. This means that innocent users can stumble across the links even if they are not sent it directly, or even if they are not a signed-up user of Twitter.

"It appears what is happening is that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message (DM) functionality and allow private messages to be sent to multiple users and optionally made public," continued Cluley. "This has resulted in the bizarre site of Twitter accounts warning their followers about the phishing attack, only to subsequently fall victim to it themselves."

Sophos has identified that the phishing campaign appears to be already bearing fruit for the hackers as they are now distributing spam selling sex enhancement products from the compromised accounts.

"Unless the hacked Twitter users change their passwords, the intruders can continue to spread spam and other attacks from their hijacked accounts," explained Cluley. "Cyber-attacks via social networks are becoming more and more common. Last month Sophos published its Security Threat Report which revealed that there has been an astonishing 70% rise in the number of users reporting spam and malware attacks via social networking sites."