A campaign run on Twitter tries to lure users into landing on a phishing page which only goal is to get users’ credentials.
It seems that either compromised Twitter accounts or bots are used to deliver a spam message with a Tumblr link to Twitter users. The link, naturally, redirects the user to a phishing web location.
Researchers from Malwarebytes report that the campaign was so active at times that it sent more than 200 messages in ten minutes. The attack was carried out for at least 6 hours.
The fake tweets that the security firm detected, regarded a “strange rumor” about the potential victim, in a Tumblr post.
The moment the user accesses the URL, he receives a message that the Twitter session has been interrupted and that the problem can be solved by signing into the account again.
A quick look at the web address where the message originates from, shows that there is a scam behind the apparent friendly request, which was specifically designed to collect Twitter credentials. What gives the scam away is the lack of encrypted connection.
The experienced user can recognize a scheme like that in a wink, but most computer users may easily walk into the trap.
How to recognize a phishing scam
As phishing schemes are being widely spread throughout social website, it is good to know what to look for and how to recognize them.
- Beware links in suspicious email messages
- Pay attention to bad grammar and spelling
- Watch out for threat messages that your account will be terminated if you do not respond to the email
- Keep in mind that scam creators often use statistics or graphics in their messages that seem to be connected to legit websites but their only purpose is to redirect you to scam pages
What Security Experts Recommend
Experts strongly advise users to enable the two-factor authentication for the service. The second verification code assures that the actual owner of the account is the person who logs in. This code can be received as a text message on the user’s mobile phone. This way the risk of someone else using the username and password is eliminated.