Twitter phishing scam

I just fell for a Twitter phishing scam -- it took the form of a direct message from one of my contacts, with the message "This you????" and a link to a site that prompted me for my Twitter password (which, like an idiot, I entered before noticing that the URL was twitter.scammysite.com; blame it on browsing with a tiny mobile-phone screen while in line at the coffee shop). You have been warned -- stay away from anything that reads "This you????" or "This you in this video????" Hell, I think that a good rule of thumb is to ignore anything that uses multiple question marks for emphasis. Even if it's not a scam, it's probably too dumb to read.

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: ripoff • Technology

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

Anonymous

It’s gotten to the point where I never click through to any page that asks for username and password, no matter who’s asking. I’ll type in the URL and go from there. Otherwise, I’m sure there’s some phishing scam that can fool me, somehow, someday.
Anonymous

This is a prime example why you should also always have a different user/pass for various sites. Even if you changed your twitter pass, if they have your information what are the odds it is the same for your bank, facebook, gmail, etc. Cory may do this already but I bet a lot of readers don’t.
hhype

I am with bigboing (#1) on this one. if the great Cory Doctorow, who I imagine is 1,000,000 times more proficient and aware of these type of computer hijinks can be tricked then I have no hope of surviving out here in the world.

This is like Norm Abrams cutting himself in his woodshop.

This is like Apollo Ohno slipping on the ice.

This is like Canada losing to the US in men’s hockey, oh wait…

You’re right about the distractions. Obfuscating the URL and using the social engineering technique of coming from a friend are all classics to put as at ease and off our guard. I am going to turn up my web paranoia dial for the time being.
- Ugly Canuck
  
  Like this phishing scam, our recent loss to the Great Republic to the South may have just been a head fake.
Anonymous

Oh crap I use the multi question mark thing all the time… I’m not a spambot!! I swear!!!
MrJM

RT @doctorow: Ignore anything that uses multiple question marks for emphasis. Even if it’s not a scam it’s probably too dumb to read.
GrahamCluley

I made a video of this phishing attack and posted it on YouTube:

http://www.youtube.com/watch?v=yFVqfgnZV6M

As well as changing their passwords, folks hit by this attack should also their the Settings/Connections settings on their Twitter account. If there are any third party applications you don’t recognise listed there, revoke their permission to access your account.

Cheers
Graham Cluley, senior technology consultant, Sophos
WeightedCompanionCube

This is a good example of why SSO systems like OAuth are a good idea. I’m automatically logged into Facebook as long as I’m logged into Google. For some reason it doesn’t ALWAYS work (cookies do expire) but it works enough that if I get a “Facebook” login screen, I check twice.

Can twitter do this?
Anonymous

It’s like the child and the hot stove, you get warned about it, and you get warned about it some more, but it’s not until you actually get burned that you REALLY learn it.

My learning experience was back in 1999 or 2000. I was in the middle of trying to leave AOL and got a phished for my acct # and CC#. It’s not until you the moment that you release the “SUBMIT” button that realize your mistake.
geech

thou shalt not tweet
Anonymous

The only excuse for doing that is it being past 1am…
Anonymous

I fell for it too. Was on a mobile phone. Luckily, I realised straight away what had happened and changed my password.
Anonymous

I was tricked by one for last.fm. It was also from my phone. :(

Funny thing is, the fake site gives you an “incorrect password” message when you try to log in. So, and I expect anyone could make this mistake, I proceeded to enter many of my passwords for the many different sites I use trying to figure out what I was doing wrong.
bigboing

What chance does a simpleton stoop like me have against the evil force of fresh phish?
Pippin

I’m sorry to hear that you were phished – how annoying! – but I also think it’s secretly kind of great for people to see that this kind of thing can happen to absolutely anyone. I think we can all be a little too confident that we, the technologically awesome, will never fall for this kind of attack.

So, thanks for taking that bullet and reminding me not to be too certain of myself in that regard.
Anonymous

[Hell, I think that a good rule of thumb is to ignore anything that uses multiple question marks for emphasis.]

Get out of my head!
DarwinSurvivor

Haha, when I clicked the link in my feed reader, boingboing’s css sheet to a while to kick in (didn’t show the login field rigth for comments) so for a second there I though *this* was a phishing site :P

Anyway, I find my password manager works as a very good anti-phishing feature. If firefox doesn’t auto-add my username/password to the login fields, it’s a clue for me to double-check the url before typing anything in :D
sirgregg

I checked the site from Cory’s tweet and Firefox actually shows a phishing warning. Still, you should always think about what you click and remember too look at the address bar every now and then.
Cory Doctorow

I think the primary prerequisite for this kind of phishing attack is that the target be distracted… I Was in the line at the coffee shop, I had a new phone that didn’t have my stored passwords in its browser (so I wasn’t surprised to be prompted for a password), and I had a little screen that didn’t prominently display the URL I was on. COmbine that with URL obfuscation from the URL shortener and the fact that the DM came from a (hacked) trusted source, and you have a pretty powerful attack.

I just thank goodness that the hackers were slow off the mark. If I were them, I would have had a compromised machine ready to immediately change the password on any account that was successfully hacked, so to lock out the victim and prevent him from changing the password. I realized immediately what had happened, but it still took me about five minutes on my little phone to change my password. That’s a pretty long gap in computer terms. I wonder how many passwords they’re losing to their slowness?
- Enoch_Root
  
  Its ok you can fess up to what really distracted you. The cape was flapping in your face and you were a little loopy from the altitude. This is why you should always follow the advice laid out in Ferdinand Adolf Heinrich August Graf von Zeppelin’s famous manual for high altitude airship safety.
lalo

Multiple question marks? How about this:

- Stay away from anything that asks you for your twitter password

- Follow @spam and/or @security â€” they warned us about this particular scam a few days ago
indiecognition

but…why????
Anonymous

i also got one of those, and clicked the link on my iphone.
safari then told me that this was a “reported scam site” and if i really wanted to enter.

needless to say i didn’t.
celynnen

“Multiple exclamation marks are a sure sign of a diseased mind.”
- Anonymous
  
  “Quoted statements that are not followed by attribution are the signs of a diseased mind”
  –me
Anonymous

man… I always am a little 2 liberal with the usage of punctuation.. damn!!!
Anonymous

@cory in order to lock you out completely they would have to defeat the “forgot password + email” fallback.
charlie98022

I saw this scam in Facebook, too.
rose bush

this happened to me (TWICE) as well. the only difference was MY id (twitter username) was the one used by the scammers. although it just looked like they were directing traffic to some websites. i kept my name but of course changed my password
phlavor

I wouldn’t fall for this because I would never be friends with anyone who uses multiple punctuation marks.
- Jerril
  
  I have been known to use multiple punctuation marks, but only for self-mockery – basically dogwhistling to people that know me that I’m being ironic or sarcastic or rhetorical, and not particularly serious either way.
Anonymous

Cory,
It may be the objective of the scam to rely on folks maintaining the same password for multiple accounts. Twitter password unlocks yachoo account, bank, secret lair, etc….
Lisa Katayama

Funny you posted this Coryâ€”I spent yesterday morning chatting with a Facebook scammer posing as my aunt. “She” told me she was held at gunpoint in London and needed $600 to fly back to the US. I actually fell for it until she started getting aggro about the money transfer. Then I called her on the phone and found out she was safely in California.
- SamSam
  
  ??? It seemed reasonable that a kidnapped elderly lady would use Facebook’s chatting to contact her loved ones in an emergency like that?
  
  I guess I don’t know your aunt. For all I know, some people might even put this stuff on their gmail status messages. “SamSam is… currently being held at gunpoint. Can anyone send a million dollars to Nigeria for me?“
Nadreck

Could happen to anyone. The key, as Cory says and is the case in any good magic trick, is distraction.

Remember the STNG episode “Ship in a Bottle” where Picard falls for the Holodeck Moriaty’s phishing scam and enters his password into the holodeck Engineering console instead of the real one?