Twitter phishing scam

I just fell for a Twitter phishing scam -- it took the form of a direct message from one of my contacts, with the message "This you????" and a link to a site that prompted me for my Twitter password (which, like an idiot, I entered before noticing that the URL was; blame it on browsing with a tiny mobile-phone screen while in line at the coffee shop). You have been warned -- stay away from anything that reads "This you????" or "This you in this video????" Hell, I think that a good rule of thumb is to ignore anything that uses multiple question marks for emphasis. Even if it's not a scam, it's probably too dumb to read.


  1. I fell for it too. Was on a mobile phone. Luckily, I realised straight away what had happened and changed my password.

  2. I was tricked by one for It was also from my phone. :(

    Funny thing is, the fake site gives you an “incorrect password” message when you try to log in. So, and I expect anyone could make this mistake, I proceeded to enter many of my passwords for the many different sites I use trying to figure out what I was doing wrong.

  3. I’m sorry to hear that you were phished – how annoying! – but I also think it’s secretly kind of great for people to see that this kind of thing can happen to absolutely anyone. I think we can all be a little too confident that we, the technologically awesome, will never fall for this kind of attack.

    So, thanks for taking that bullet and reminding me not to be too certain of myself in that regard.

  4. [Hell, I think that a good rule of thumb is to ignore anything that uses multiple question marks for emphasis.]

    Get out of my head!

  5. Haha, when I clicked the link in my feed reader, boingboing’s css sheet to a while to kick in (didn’t show the login field rigth for comments) so for a second there I though *this* was a phishing site :P

    Anyway, I find my password manager works as a very good anti-phishing feature. If firefox doesn’t auto-add my username/password to the login fields, it’s a clue for me to double-check the url before typing anything in :D

  6. I checked the site from Cory’s tweet and Firefox actually shows a phishing warning. Still, you should always think about what you click and remember too look at the address bar every now and then.

  7. I think the primary prerequisite for this kind of phishing attack is that the target be distracted… I Was in the line at the coffee shop, I had a new phone that didn’t have my stored passwords in its browser (so I wasn’t surprised to be prompted for a password), and I had a little screen that didn’t prominently display the URL I was on. COmbine that with URL obfuscation from the URL shortener and the fact that the DM came from a (hacked) trusted source, and you have a pretty powerful attack.

    I just thank goodness that the hackers were slow off the mark. If I were them, I would have had a compromised machine ready to immediately change the password on any account that was successfully hacked, so to lock out the victim and prevent him from changing the password. I realized immediately what had happened, but it still took me about five minutes on my little phone to change my password. That’s a pretty long gap in computer terms. I wonder how many passwords they’re losing to their slowness?

    1. Its ok you can fess up to what really distracted you. The cape was flapping in your face and you were a little loopy from the altitude. This is why you should always follow the advice laid out in Ferdinand Adolf Heinrich August Graf von Zeppelin’s famous manual for high altitude airship safety.

  8. Multiple question marks? How about this:

    – Stay away from anything that asks you for your twitter password

    – Follow @spam and/or @security — they warned us about this particular scam a few days ago

  9. i also got one of those, and clicked the link on my iphone.
    safari then told me that this was a “reported scam site” and if i really wanted to enter.

    needless to say i didn’t.

  10. @cory in order to lock you out completely they would have to defeat the “forgot password + email” fallback.

  11. this happened to me (TWICE) as well. the only difference was MY id (twitter username) was the one used by the scammers. although it just looked like they were directing traffic to some websites. i kept my name but of course changed my password

  12. It’s gotten to the point where I never click through to any page that asks for username and password, no matter who’s asking. I’ll type in the URL and go from there. Otherwise, I’m sure there’s some phishing scam that can fool me, somehow, someday.

  13. This is a prime example why you should also always have a different user/pass for various sites. Even if you changed your twitter pass, if they have your information what are the odds it is the same for your bank, facebook, gmail, etc. Cory may do this already but I bet a lot of readers don’t.

  14. I am with bigboing (#1) on this one. if the great Cory Doctorow, who I imagine is 1,000,000 times more proficient and aware of these type of computer hijinks can be tricked then I have no hope of surviving out here in the world.

    This is like Norm Abrams cutting himself in his woodshop.

    This is like Apollo Ohno slipping on the ice.

    This is like Canada losing to the US in men’s hockey, oh wait…

    You’re right about the distractions. Obfuscating the URL and using the social engineering technique of coming from a friend are all classics to put as at ease and off our guard. I am going to turn up my web paranoia dial for the time being.

    1. Like this phishing scam, our recent loss to the Great Republic to the South may have just been a head fake.

  15. RT @doctorow: Ignore anything that uses multiple question marks for emphasis. Even if it’s not a scam it’s probably too dumb to read.

  16. I made a video of this phishing attack and posted it on YouTube:

    As well as changing their passwords, folks hit by this attack should also their the Settings/Connections settings on their Twitter account. If there are any third party applications you don’t recognise listed there, revoke their permission to access your account.

    Graham Cluley, senior technology consultant, Sophos

  17. This is a good example of why SSO systems like OAuth are a good idea. I’m automatically logged into Facebook as long as I’m logged into Google. For some reason it doesn’t ALWAYS work (cookies do expire) but it works enough that if I get a “Facebook” login screen, I check twice.

    Can twitter do this?

  18. It’s like the child and the hot stove, you get warned about it, and you get warned about it some more, but it’s not until you actually get burned that you REALLY learn it.

    My learning experience was back in 1999 or 2000. I was in the middle of trying to leave AOL and got a phished for my acct # and CC#. It’s not until you the moment that you release the “SUBMIT” button that realize your mistake.

  19. Funny you posted this Cory—I spent yesterday morning chatting with a Facebook scammer posing as my aunt. “She” told me she was held at gunpoint in London and needed $600 to fly back to the US. I actually fell for it until she started getting aggro about the money transfer. Then I called her on the phone and found out she was safely in California.

    1. ??? It seemed reasonable that a kidnapped elderly lady would use Facebook’s chatting to contact her loved ones in an emergency like that?

      I guess I don’t know your aunt. For all I know, some people might even put this stuff on their gmail status messages. “SamSam is… currently being held at gunpoint. Can anyone send a million dollars to Nigeria for me?

  20. Could happen to anyone. The key, as Cory says and is the case in any good magic trick, is distraction.

    Remember the STNG episode “Ship in a Bottle” where Picard falls for the Holodeck Moriaty’s phishing scam and enters his password into the holodeck Engineering console instead of the real one?

    1. I have been known to use multiple punctuation marks, but only for self-mockery – basically dogwhistling to people that know me that I’m being ironic or sarcastic or rhetorical, and not particularly serious either way.

  21. Cory,
    It may be the objective of the scam to rely on folks maintaining the same password for multiple accounts. Twitter password unlocks yachoo account, bank, secret lair, etc….

Comments are closed.