IT security firm, Sophos, has warned Twitter users on a new attack that has led to thousands of accounts being compromised by hackers using a Web 2.0 botnet. The hijacked accounts are later used to spread money-making spam campaigns.
The security firm found out that fellow members of the micro-blogging network had posted messages disguised as humorous inks, but were actually aimed to phish passwords credentials from unsuspecting users.
These messages were accompanied with clickable links which redirected users to a fake Twitter login page hosted on a website based in China.
"This phishing attack has been causing headaches for Twitter users all weekend, resulting in thousands of users being put at risk of having their account broken into," said Graham Cluley, senior technology consultant at Sophos. "The cybercriminals behind the attack are creating a zombie network, or botnet, of hacked accounts that they can then abuse to spread spam, distribute malware and steal identities. There's nothing funny about the attack - you have to be on your guard against clicking on the dangerous messages. If you've fallen foul of it, or find direct messages in your Sent box that you didn't send, you must change your Twitter password immediately."
Sophos researchers discovered that although the main wave of poisoned messages has been via private direct messages between individual users on Twitter, dangerous links are also being posted in public feeds. This means that innocent users can stumble across the links even if they are not sent it directly, or even if they are not a signed-up user of Twitter.
"It appears what is happening is that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message (DM) functionality and allow private messages to be sent to multiple users and optionally made public," continued Cluley. "This has resulted in the bizarre site of Twitter accounts warning their followers about the phishing attack, only to subsequently fall victim to it themselves."
Sophos has identified that the phishing campaign appears to be already bearing fruit for the hackers as they are now distributing spam selling herbal viagra from the compromised accounts.
"Unless the hacked Twitter users change their passwords, the intruders can continue to spread spam and other attacks from their hijacked accounts," explained Cluley.