Twitter Hit By BZPharma LOL Phishing Attack 81
An anonymous reader writes "Twitter users are being warned not to click on messages saying "'ol, this is funny,' as they can lead to their account details being stolen. A widespread attack has hit Twitter this weekend, tricking users into logging into a fake Twitter page — and thus handing their account details over to hackers. Messages include Lol. this is me?? / lol , this is funny. / ha ha, u look funny on here / Lol. this you?? followed by a link in the form of http://example/ [dot] com/?rid=http://twitter.verify.bzpharma [dot] net/login, where 'example.com' can vary. Clicking on the link redirects users to the second-half of the link, where the fake login page is hosted. In a video and blog entry, computer security firm Sophos is warning users that it is not just Twitter direct messages (DMs) that carry the poisoned links, but they are appearing on public profiles due to services such as GroupTweet which republish direct messages. Sophos also reports that the site being used for the Twitter phishing has also been constructed to steal information from users of the Bebo social network. Affected users are advised to change their passwords immediately."
You can't have twitter without (Score:5, Insightful)
twits.
Re: (Score:2)
They should have just called it "Douchebagger" so atleast some of those twits would've prevented themselves from using it.
Re: (Score:2)
Or this: http://bit.ly/info/dkpAoI [bit.ly]
Re: (Score:2)
lol I copied the wrong URL. Obviously why the counter didn't go up.
Lol (Score:5, Funny)
this is funny.
Re:Lol (Score:5, Informative)
we need to stop coddling stupidity. (Score:3, Insightful)
Seriously, anyone with more than a few functional neurons is not going to type their password into a page they reached by clicking on a link from "LOL this is funny!".
We need to let people like that sink or swim. People end up being as stupid as we let them be. If we expect complete idiocy, we will *get* complete idiocy, and that harms the experience for the rest of us.
I say let these people experience the consequences of their own actions.
Re:we need to stop coddling stupidity. (Score:5, Insightful)
Re: (Score:1, Funny)
You're under the mistaken impression that any of us here on Slashdot have friends. My social network of one person, myself, is quite large enough, thank you.
Re: (Score:2)
Who needs friends when we have computers?
Re: (Score:2)
Re: (Score:1, Redundant)
If one of your less technologically-savvy friends on Facebook happens to fall for this scheme
Ha, your logic is flawed. No one here has friends!
Re:we need to stop coddling stupidity. (Score:5, Insightful)
It isn't that your information is exposed if a friend's account is broken into (if you have stuff on Facebook or similar that you would care about being made public, then you are doing it wrong), it is the fact that a compromised account means the frauster has easten their way at least one level into your trust network. This means you have to think that little bit harder about your day-to-day link clicking (assuming some of your contacts are like some of mine and their dribblings are not always easy to distinguish from spam/phishing).
The real problem is more dangerous phishing - that which attempts to gain access to bank details or attempts to convince the user to let some local code to install. There is no way we'll ever completely stamp that out just as there is no partical way of completely stamping out burglary. The only thing we can do is to try educate the general public (spit) to be a little (or in many cases a lot) less naive. This is unfortunately much easier said than done - some people seem incapable of maintaining a healthy level of synacism when promised free smilies/cheats/porm or just "lols".
Every now and then I consider starting a small spam/phish campaign that collects data, throws it all away, and give the user s "why the hell were you stupid enough to do that?!?!" message. Perhaps distrubuting it as an app that collects Facebook account details and uses them to post a message stating "is stupid enough to give their password to a third party website" before deleting them. The second most significan reason I don't do this (the first being I'm too lazy to bother) is that the idiots caught and made to look daft would see me as the enemy and not learn anything more generally useful (like "if one anonymous site promising free shit can't be trusted with my password/creditcard/wife then maybe others can't either") from the exercise. Maybe banks could do it with their own customer base though - send out a fake phish and lock the accounts of people that fall for it until such time as the phone up and promise to be more careful in future.
Re: (Score:3, Insightful)
If you put your information on facebook then it's already "exposed" to everyone. You'd have to be even dumber than someone who would fall for such a fake login link to think otherwise.
Re: (Score:2)
I've never used it. It's there so nobody can impersonate me on facebook (a big issue, considering the whole online bullying / sui
Re: (Score:2)
I don't necessarily disagree with you when you say 'We need to let people like that sink or swim', but in this world of tightly connected social networks where friendship among individuals governs their level of access to your details, I'm not so sure about that. You're only as secure as your weakest link. If one of your less technologically-savvy friends on Facebook happens to fall for this scheme and gives up his login information to the attackers, then your information is exposed to them, and you're put at risk.
Let this be a lesson that content put on a public network is never private. If you have stuff on Facebook you think is private, you should remove it right now, because Facebook has one of the worst track records for security and privacy breeches, and a demonstrable lack of concern for the privacy of your personal data (e.g. beacon fiasco).
What is incredibly important here is for people to realise that sites like Facebook *will never be truly private* and your value to them is precisely in the amount of info
Re:we need to stop coddling stupidity. (Score:5, Funny)
You must remember that when they sink, their bodies sink to the deep to feed the legions of bottom feeders, which in turn grow to monstrous size. Eventually, we get dread 100,000 strong botnet krakens which rise to the surface and drag sites under with all hands lost.
In light of this, I prefer giving these users swim bands as a preventative measure.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
we get dread 100,000 strong botnet krakens which rise to the surface and drag sites under with all hands lost.
Ah, yes. Good ole' Mustakrakish. http://dethklok.wikia.com/wiki/Mustakrakish [wikia.com]
Re: (Score:2)
Interestingly... (Score:5, Interesting)
...I just deliberately sought out this thing so I could see what it looked like - and amazingly, whatever it does, it manages to somehow hide the "Suspected phishing site" page in Google Chrome: It briefly appears but then the page seems to reload automatically and the page disappears
So not only is this a pretty sophisticated clone of Twitter's login, they've somehow managed to force their way past the attack warning too. Any ideas how they've done that?
Re: (Score:2, Insightful)
Re:Interestingly... (Score:4, Informative)
Re:Interestingly... (Score:5, Informative)
Re: (Score:2, Interesting)
Re: (Score:1, Informative)
Came up with the protection without issue here on 5.0.317.2 dev, might just be the older versions that are affected?
OpenDNS (Score:1)
Re: (Score:2)
That same OpenDNS anti phishing crap prevented me from going to a very prominent and perfectly innocuous German-language cooking website a couple of days ago. Pissed me off to no end because even after replacing the OpenDNS servers, I still got redirected because of some caching or other shenanigans. After some fiddling and restarting things it started working, though. And with DNS redirecting, it's not a matter of hitting a "Yes I'm sure" button, you can't get to the site full stop.
Thanks but no thanks, I'
Re: (Score:2)
Where the sheeple graze (Score:2)
Re:Where the sheeple graze (Score:4, Insightful)
wolves
Shouldn't that be "wovles?" It would make more sense for "wovles" to prey on "sheeple."
Re:Where the sheeple graze (Score:5, Funny)
Re: (Score:2)
Re: (Score:1)
Yeah! Stupid sheeple - all follow trends mindlessly like the Apple and Linux fanboys.
Or the FLOSS sheep! Yeah, I'm gonna work my ass off and GIVE away all my hard labor! Hey, how come no one notices and makes ME rich?!?
Sheeple, I tell ya.
Re: (Score:1)
Re: (Score:2, Funny)
I asked her what color her panties were and she said "j00z did 9/11!"
Weirdest sex chat I've ever had that didn't involve a robe and wizard hat.
Re: (Score:2)
Britney, is that you?
Re: (Score:2)
And the best way to avoid computer viruses is not to use a computer.
Joshua sez (Score:2)
A strange game. The only winning move is not to play. How about a nice game of chess?
Re: (Score:1)
And how exactly does that steal your password? (Score:2)
Eh?
Re: (Score:1, Interesting)
well youre tricked into thinking your actually logging on the real twitter, so when you log you GIVE them your password, so its not really like they are stealing it, just receiving it
Re: (Score:2)
I think if you commit a crime (copyright fraud counts) and use deception in an attempt to obtain something you should not have and do not have a right to have (someone else's login info), and can not use, that is stealing. If you leave a laptop out in public with a text editor open, and someone types in their password for no
Pretty simple solution... (Score:3, Insightful)
Re: (Score:1, Funny)
Re: (Score:2)
I remember people saying that about the internet, yet here you are, being an old man on it.
Rubbish! (Score:2)
The contribution of the Internet is indisputable. Even when it was the ARPANET its value was trivially obvious.
Twitter, on the other hand, is just trivial. And if it is now a source of germs as well, forget it.
What about URL shortening services? (Score:4, Interesting)
I've always wondered why we don't see more phishing attacks with URL shortening services. Why not just tweet "Hey check out the pictures of my latest vacation at my picasaweb [tinyurl.com] page"? I don't think forcing users to install yet another plugin which checks out the tinyurl link as there's more than enough companies that do shorten URLs to make this plugin be yet another one which has to have to phone home to get updates...
Global block? (Score:2)
Re: (Score:1)
Welcome to THE FUTURE! (Score:1, Funny)
Twitter and Facebook are the AOL of the 21st century.