Twitter phishing scam


35 Responses to “Twitter phishing scam”

  1. Anonymous says:

    It’s gotten to the point where I never click through to any page that asks for username and password, no matter who’s asking. I’ll type in the URL and go from there. Otherwise, I’m sure there’s some phishing scam that can fool me, somehow, someday.

  2. Anonymous says:

    This is a prime example why you should also always have a different user/pass for various sites. Even if you changed your twitter pass, if they have your information what are the odds it is the same for your bank, facebook, gmail, etc. Cory may do this already but I bet a lot of readers don’t.

  3. hhype says:

    I am with bigboing (#1) on this one. if the great Cory Doctorow, who I imagine is 1,000,000 times more proficient and aware of these type of computer hijinks can be tricked then I have no hope of surviving out here in the world.

    This is like Norm Abrams cutting himself in his woodshop.

    This is like Apollo Ohno slipping on the ice.

    This is like Canada losing to the US in men’s hockey, oh wait…

    You’re right about the distractions. Obfuscating the URL and using the social engineering technique of coming from a friend are all classics to put as at ease and off our guard. I am going to turn up my web paranoia dial for the time being.

  4. Anonymous says:

    Oh crap I use the multi question mark thing all the time… I’m not a spambot!! I swear!!!

  5. MrJM says:

    RT @doctorow: Ignore anything that uses multiple question marks for emphasis. Even if it’s not a scam it’s probably too dumb to read.

  6. GrahamCluley says:

    I made a video of this phishing attack and posted it on YouTube:

    As well as changing their passwords, folks hit by this attack should also their the Settings/Connections settings on their Twitter account. If there are any third party applications you don’t recognise listed there, revoke their permission to access your account.

    Graham Cluley, senior technology consultant, Sophos

  7. WeightedCompanionCube says:

    This is a good example of why SSO systems like OAuth are a good idea. I’m automatically logged into Facebook as long as I’m logged into Google. For some reason it doesn’t ALWAYS work (cookies do expire) but it works enough that if I get a “Facebook” login screen, I check twice.

    Can twitter do this?

  8. Anonymous says:

    It’s like the child and the hot stove, you get warned about it, and you get warned about it some more, but it’s not until you actually get burned that you REALLY learn it.

    My learning experience was back in 1999 or 2000. I was in the middle of trying to leave AOL and got a phished for my acct # and CC#. It’s not until you the moment that you release the “SUBMIT” button that realize your mistake.

  9. geech says:

    thou shalt not tweet

  10. Anonymous says:

    The only excuse for doing that is it being past 1am…

  11. Anonymous says:

    I fell for it too. Was on a mobile phone. Luckily, I realised straight away what had happened and changed my password.

  12. Anonymous says:

    I was tricked by one for It was also from my phone. :(

    Funny thing is, the fake site gives you an “incorrect password” message when you try to log in. So, and I expect anyone could make this mistake, I proceeded to enter many of my passwords for the many different sites I use trying to figure out what I was doing wrong.

  13. bigboing says:

    What chance does a simpleton stoop like me have against the evil force of fresh phish?

  14. Pippin says:

    I’m sorry to hear that you were phished – how annoying! – but I also think it’s secretly kind of great for people to see that this kind of thing can happen to absolutely anyone. I think we can all be a little too confident that we, the technologically awesome, will never fall for this kind of attack.

    So, thanks for taking that bullet and reminding me not to be too certain of myself in that regard.

  15. Anonymous says:

    [Hell, I think that a good rule of thumb is to ignore anything that uses multiple question marks for emphasis.]

    Get out of my head!

  16. DarwinSurvivor says:

    Haha, when I clicked the link in my feed reader, boingboing’s css sheet to a while to kick in (didn’t show the login field rigth for comments) so for a second there I though *this* was a phishing site :P

    Anyway, I find my password manager works as a very good anti-phishing feature. If firefox doesn’t auto-add my username/password to the login fields, it’s a clue for me to double-check the url before typing anything in :D

  17. sirgregg says:

    I checked the site from Cory’s tweet and Firefox actually shows a phishing warning. Still, you should always think about what you click and remember too look at the address bar every now and then.

  18. Cory Doctorow says:

    I think the primary prerequisite for this kind of phishing attack is that the target be distracted… I Was in the line at the coffee shop, I had a new phone that didn’t have my stored passwords in its browser (so I wasn’t surprised to be prompted for a password), and I had a little screen that didn’t prominently display the URL I was on. COmbine that with URL obfuscation from the URL shortener and the fact that the DM came from a (hacked) trusted source, and you have a pretty powerful attack.

    I just thank goodness that the hackers were slow off the mark. If I were them, I would have had a compromised machine ready to immediately change the password on any account that was successfully hacked, so to lock out the victim and prevent him from changing the password. I realized immediately what had happened, but it still took me about five minutes on my little phone to change my password. That’s a pretty long gap in computer terms. I wonder how many passwords they’re losing to their slowness?

    • Enoch_Root says:

      Its ok you can fess up to what really distracted you. The cape was flapping in your face and you were a little loopy from the altitude. This is why you should always follow the advice laid out in Ferdinand Adolf Heinrich August Graf von Zeppelin’s famous manual for high altitude airship safety.

  19. lalo says:

    Multiple question marks? How about this:

    - Stay away from anything that asks you for your twitter password

    - Follow @spam and/or @security — they warned us about this particular scam a few days ago

  20. indiecognition says:


  21. Anonymous says:

    i also got one of those, and clicked the link on my iphone.
    safari then told me that this was a “reported scam site” and if i really wanted to enter.

    needless to say i didn’t.

  22. celynnen says:

    “Multiple exclamation marks are a sure sign of a diseased mind.”

  23. Anonymous says:

    man… I always am a little 2 liberal with the usage of punctuation.. damn!!!

  24. Anonymous says:

    @cory in order to lock you out completely they would have to defeat the “forgot password + email” fallback.

  25. charlie98022 says:

    I saw this scam in Facebook, too.

  26. rose bush says:

    this happened to me (TWICE) as well. the only difference was MY id (twitter username) was the one used by the scammers. although it just looked like they were directing traffic to some websites. i kept my name but of course changed my password

  27. phlavor says:

    I wouldn’t fall for this because I would never be friends with anyone who uses multiple punctuation marks.

    • Jerril says:

      I have been known to use multiple punctuation marks, but only for self-mockery – basically dogwhistling to people that know me that I’m being ironic or sarcastic or rhetorical, and not particularly serious either way.

  28. Anonymous says:

    It may be the objective of the scam to rely on folks maintaining the same password for multiple accounts. Twitter password unlocks yachoo account, bank, secret lair, etc….

  29. Lisa Katayama says:

    Funny you posted this Cory—I spent yesterday morning chatting with a Facebook scammer posing as my aunt. “She” told me she was held at gunpoint in London and needed $600 to fly back to the US. I actually fell for it until she started getting aggro about the money transfer. Then I called her on the phone and found out she was safely in California.

    • SamSam says:

      ??? It seemed reasonable that a kidnapped elderly lady would use Facebook’s chatting to contact her loved ones in an emergency like that?

      I guess I don’t know your aunt. For all I know, some people might even put this stuff on their gmail status messages. “SamSam is… currently being held at gunpoint. Can anyone send a million dollars to Nigeria for me?

  30. Nadreck says:

    Could happen to anyone. The key, as Cory says and is the case in any good magic trick, is distraction.

    Remember the STNG episode “Ship in a Bottle” where Picard falls for the Holodeck Moriaty’s phishing scam and enters his password into the holodeck Engineering console instead of the real one?

Leave a Reply