Twitter hooked by phishermen, hackers. Facebook users beware
As if Twitter wasn't already beleaguered enough, 33 of its highest-profile accounts were hacked today by a masked bad person.
The targets included Britney Spears, Fox News, Facebook, Huffington Post and Rick Sanchez of CNN. In each case, the hacker assumed the voice of the compromised individuals or companies, making it look like those parties were publishing unsavory comments about themselves. Spears appeared to post about unusual features of her anatomy, Sanchez about using "crack," and Fox News about what might seem to be surprising romantic tendencies of "Bill O Riley" [sic].
This is on the heels of a phishing scam that heated up over the weekend, when many Twitter users were lured to a phony home page where some unwittingly gave up their login information. In an admirably transparent explanation post, Twitter has said the two breaches were not related.
But to drop another whale into Twitter's security sludge, the phishing site that was set up to hoodwink Twitter's users has a second front door that looks exactly like another well known social media site.
The address of the fake Twitter site was twitter.access-login.com/login, but take out the "/login" part and you arrive at the following dead-ringer for the Facebook homepage:
The phony site comes complete with the Facebook favicon, working text input areas and radio buttons. It's basically identical to the site's real entrance. Attempt to log in (which we did with a decoy account), and you're marooned on an 404 error page -- your name and password no doubt secreted in some Chinese database.
Luckily, Firefox now throws up a warning page before it allows you access to either of these sites, and even when you bypass that, the browser displays a big red alert bar at the top: "Reported Web Forgery!"
Internet Explorer gives no warning at all.
As it turns out, any address ending in .access-login.com will send you to the bogus Facebook page, a change that suggests the scammers have more than one plan of attack on the social media nebula.
Probably not related but still noteworthy: Over the last few days, we've received several phishy e-mails that claim to be from Facebook but aren't, with subject lines like "Chris sent you a message on Facebook," and "Jenny commented on your status." The e-mails don't lead back the the .access-login.com site, but given what we know about how the Twitter phishing worked, it's easy to see a round of fake Facebook malspam that would bring you to the same nasty place.
-- David Sarno and Mark Milian