Twitter hooked by phishermen, hackers. Facebook users beware

3:39 PM, January 5, 2009

As if Twitter wasn't already beleaguered enough, 33 of its highest-profile accounts were hacked today by a masked bad person.

The targets included Britney Spears, Fox News, Facebook, Huffington Post and Rick Sanchez of CNN. In each case, the hacker assumed the voice of the compromised individuals or companies, making it look like those parties were publishing unsavory comments about themselves. Spears appeared to post about unusual features of her anatomy, Sanchez about using "crack," and Fox News about what might seem to be surprising romantic tendencies of "Bill O Riley" [sic].

This is on the heels of a phishing scam that heated up over the weekend, when many Twitter users were lured to a phony home page where some unwittingly gave up their login information. In an admirably transparent explanation post, Twitter has said the two breaches were not related.

But to drop another whale into Twitter's security sludge, the phishing site that was set up to hoodwink Twitter's users has a second front door that looks exactly like another well known social media site.

The address of the fake Twitter site was twitter.access-login.com/login, but take out the "/login" part and you arrive at the following dead-ringer for the Facebook homepage:

The phony site comes complete with the Facebook favicon, working text input areas and radio buttons. It's basically identical to the site's real entrance. Attempt to log in (which we did with a decoy account), and you're marooned on an 404 error page -- your name and password no doubt secreted in some Chinese database.

Luckily, Firefox now throws up a warning page before it allows you access to either of these sites, and even when you bypass that, the browser displays a big red alert bar at the top: "Reported Web Forgery!"

Internet Explorer gives no warning at all.

As it turns out, any address ending in .access-login.com will send you to the bogus Facebook page, a change that suggests the scammers have more than one plan of attack on the social media nebula.

Probably not related but still noteworthy: Over the last few days, we've received several phishy e-mails that claim to be from Facebook but aren't, with subject lines like "Chris sent you a message on Facebook," and "Jenny commented on your status." The e-mails don't lead back the the .access-login.com site, but given what we know about how the Twitter phishing worked, it's easy to see a round of fake Facebook malspam that would bring you to the same nasty place.

-- David Sarno and Mark Milian

Comments

Thanks for this article. I noticed today that the Huffington Post was twittering some rather bizarre messages. It'll be interesting to see who is behind all of this.

Posted by: Pablo Manriquez | January 05, 2009 at 05:01 PM

This is very scary stuff. This is just another example of how no one is safe from those who would steal our identities for whatever dubious purposes. We are indeed living in a culture where our privacy seems to be up for grabs. We may see more controls and more of our personal info watched under the guise of protecting us from those that wish to do us harm for their own personal gain in the near future.
Maybe the new technology we have so readily embraced has a dark side that far outweighs the advantages.

Posted by: stan munsey | January 05, 2009 at 05:09 PM

twitter = Owned

Posted by: scythist | January 06, 2009 at 06:19 AM

I hope this doesn't scare folks off of Twitter, but it definitely raises questions about just how secure it really is.

Next time, folks, only click on links from people you know. I got a bunch of links from people I didn't even follow. X'd those babies out quickly.

Posted by: Daniel | January 06, 2009 at 06:30 AM

The end user will always be the weakest link in any security. Users of social networking sites are already open to posting gobs of personal information online. Passwords to these convergent sites are becoming more and more enticing.

Facebook compromises coupled with it's integration with other sites is even scarier. Think about the tie between Facebook and Amazon with one-click shopping, yikes.

Technology has become common place, but society is still clueless about the security implications. These sites weren't hacked, but the people using these sites were subversively made to give up their password.

Posted by: David | January 06, 2009 at 12:46 PM

LOL, Myspace kicks them ALL to the curb!

www.web-privacy.pro.tc

Posted by: Jack Boatright | January 06, 2009 at 12:48 PM

Someone still uses IE? Idiots.

Posted by: John Beard | January 06, 2009 at 01:59 PM

"no doubt secreted in some Chinese database. "

Maybe I didn't read your article correctly, so forgive me if I am wrong, but was there any information suggesting that the people committing this crime were Chinese? Why do you assume your information will end up in a Chinese database? I mean I'm not Chinese but if I was I'd be pretty offended by that. Make sure you are correct before you say "no doubt". Geez.

Posted by: Rohan | January 06, 2009 at 04:57 PM

Rohan --

Thanks, I should've mentioned that the DNS listing indicates the site is owned by someone in China. Of course, the DNS info could be bogus, so no way to know for sure. http://tr.im/320g

I must ask, however, why you'd only be offended at a perceived stereotype if you were a member of the group being slighted? I always prefer to be offended on behalf of other groups -- it builds unity!

(Not that I could see exactly what the slight would've been this case ... that Chinese are more likely to be hackers? I think you could even see that as a compliment...)

Anyhow, thanks for writing.

Posted by: David Sarno | January 06, 2009 at 05:36 PM

If you are under 13 years of age you may read this message board, but you may not participate.
Here are the full legal terms you agree to by using this comment form.

Comments are moderated, and will not appear until they've been approved.

Name:

E-mail Address:

URL:

Remember personal info?

Comments: