http://praetorianprefect.com/archives/2009/09/rofl-this-you-on-here-the-latest-twitter-worm/ Information security, a little slower...a little deeper Tue, 15 May 2012 11:55:15 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://praetorianprefect.com/archives/2009/09/rofl-this-you-on-here-the-latest-twitter-worm/comment-page-1/#comment-7439 This you??? Twitter phishing campaign spreads rapidly « ITSecurity Wed, 24 Feb 2010 21:33:01 +0000 http://praetorianprefect.com/?p=484#comment-7439 <p>[...] followed and trust on some level.  A similar “This you” phishing campaign first surfaced last September. The domain name uses the same email address used in the previous campaign:  lixing688 at [...]</p> [...] followed and trust on some level.  A similar “This you” phishing campaign first surfaced last September. The domain name uses the same email address used in the previous campaign:  lixing688 at [...]

]]> http://praetorianprefect.com/archives/2009/09/rofl-this-you-on-here-the-latest-twitter-worm/comment-page-1/#comment-7430 The TopOfMemory Security Feed » Blog Archive » This you??? Twitter phishing campaign spreads rapidly Wed, 24 Feb 2010 15:12:48 +0000 http://praetorianprefect.com/?p=484#comment-7430 <p>[...] followed and trust on some level.  A similar “This you” phishing campaign first surfaced last September. The domain name uses the same email address used in the previous campaign:  lixing688 at [...]</p> [...] followed and trust on some level.  A similar “This you” phishing campaign first surfaced last September. The domain name uses the same email address used in the previous campaign:  lixing688 at [...]

]]> http://praetorianprefect.com/archives/2009/09/rofl-this-you-on-here-the-latest-twitter-worm/comment-page-1/#comment-3306 Praetorian Prefect | “Hi. This you?? LOL” Twitter Attack Snares Kevin Mitnick Tue, 01 Dec 2009 05:17:07 +0000 http://praetorianprefect.com/?p=484#comment-3306 <p>[...] Spoofed Twitter login page. But this attack is doing something interesting, it is including a “via @username” before the spam message in some cases. This could represent going to the next level of social engineering by not only having the spam message come from a user account you are linked to, but also claiming essentially to be a retweet (the use of via is used in Twitter messages to attribute a piece of information) of another trusted sources information. Alternatively it could be a method for avoiding the web site display resulting from Twitter’s new handling of the classic method for retweets (RT @Username: message) which many users have objected to. Both domains are hosted on the same IP address, IP geolocation shows this to be hosted in Hebei, China. Both reference the web site contact lixing688@gmail.com which has been seen in earlier Twitter attacks. [...]</p> [...] Spoofed Twitter login page. But this attack is doing something interesting, it is including a “via @username” before the spam message in some cases. This could represent going to the next level of social engineering by not only having the spam message come from a user account you are linked to, but also claiming essentially to be a retweet (the use of via is used in Twitter messages to attribute a piece of information) of another trusted sources information. Alternatively it could be a method for avoiding the web site display resulting from Twitter’s new handling of the classic method for retweets (RT @Username: message) which many users have objected to. Both domains are hosted on the same IP address, IP geolocation shows this to be hosted in Hebei, China. Both reference the web site contact lixing688@gmail.com which has been seen in earlier Twitter attacks. [...]

]]> http://praetorianprefect.com/archives/2009/09/rofl-this-you-on-here-the-latest-twitter-worm/comment-page-1/#comment-2229 Praetorian Prefect | Not the Haus of Gaga too Tue, 17 Nov 2009 08:22:18 +0000 http://praetorianprefect.com/?p=484#comment-2229 <p>[...] has been slowly closing loop holes in their authentication process over the course of this year. Back in September we pointed out the reCAPTCHA implementation had been on login that shows up when you enter too many [...]</p> [...] has been slowly closing loop holes in their authentication process over the course of this year. Back in September we pointed out the reCAPTCHA implementation had been on login that shows up when you enter too many [...]

]]> http://praetorianprefect.com/archives/2009/09/rofl-this-you-on-here-the-latest-twitter-worm/comment-page-1/#comment-1680 Praetorian Prefect | A twitter “worm’s” brilliant variation Wed, 28 Oct 2009 21:55:07 +0000 http://praetorianprefect.com/?p=484#comment-1680 <p>[...] the rounds this morning, which is actually an expertly crafted variant of the worm we reported back on September 24th. The variant has changed the direct message from “ROFL, this you on here?” to [...]</p> [...] the rounds this morning, which is actually an expertly crafted variant of the worm we reported back on September 24th. The variant has changed the direct message from “ROFL, this you on here?” to [...]

]]> http://praetorianprefect.com/archives/2009/09/rofl-this-you-on-here-the-latest-twitter-worm/comment-page-1/#comment-1334 Prefect Fri, 25 Sep 2009 21:54:02 +0000 http://praetorianprefect.com/?p=484#comment-1334 <p>Agreed John, thus the comment in the article: "While labeled a worm on Twitter, it is not confirmed thus far that this is a self-replicating program, an important part of the definition of a computer worm, it just appears that way. In order to get some understanding of this, Twitter would have to release some analysis of their logging..."</p> Agreed John, thus the comment in the article: “While labeled a worm on Twitter, it is not confirmed thus far that this is a self-replicating program, an important part of the definition of a computer worm, it just appears that way. In order to get some understanding of this, Twitter would have to release some analysis of their logging…”

]]> http://praetorianprefect.com/archives/2009/09/rofl-this-you-on-here-the-latest-twitter-worm/comment-page-1/#comment-1331 John Fri, 25 Sep 2009 16:12:06 +0000 http://praetorianprefect.com/?p=484#comment-1331 <p>Is there any evidence that this is a worm at all? From the description of the attack, all the code was server side. Even if completely automated, it would be a stretch to call this a worm since no code was ever executed on a remote system. It just gathered credentials and then re-phished with stolen accounts.</p> Is there any evidence that this is a worm at all? From the description of the attack, all the code was server side. Even if completely automated, it would be a stretch to call this a worm since no code was ever executed on a remote system. It just gathered credentials and then re-phished with stolen accounts.

]]>