A new twitter worm is being reported making the rounds this morning, which is actually an expertly crafted variant of the worm we reported back on September 24th. The variant has changed the direct message from “ROFL, this you on here?” to “hi. this you on here?”. The bad actor in China has also used a new URL, but with the same Twitter login landing page identifiable by its stray HTML brace “>” following the line under ‘Sign in to Twitter’. This important difference in wording should allow for a spate of new captured twitter credentials.
In all seriousness, this attack does prey on a successful social engineering ploy, playing on the victim’s vanity or curiosity about themselves and originating the message from a trusted source. On Twitter you can only send a direct message to someone who is following you. Or put another way, only someone whose updates you have previously expressed an interest in and signed up for (followed) can send you one of these messages. This attack is the Twitter equivalent of e-mail phishing schemes that use an e-mail sent from someone else’s address book: essentially you theoretically know the person already and are more likely to open an e-mail received from them and act upon any instructions contained therein. Combine the suggestion that this person you know or know of has found something about you on a blog, a login screen that is familiar, and you end up with a number of compromised Twitter accounts.
In an unusual variant though, the URL used is less like the actual Twitter URL then in the original attack. Upon putting in credentials, you are like the previous attack presented with the ubiquitous fail whale.
This gets even more bizarre in the that fail whale page redirects you to “whatsup” http://gfsdgdf5845jg.blogspot.com/, the blog of NetMeg99 from Ventura, CA with a picture of an American Idol contestant. NetMeg99 is a handle of Dawn Lager, apparently a big fan of American Idol contestant Adam Lambert, also from Ventura, CA. Here is her twitter feed as an example: http://twitter.com/NetMeg99. The feed looks legitimate, so we have no idea why the site is redirecting to this blog, which is not reported in the malware site listings we checked.
The URL of the phishing site, http://blogger.djhxkcs.com, is again hosted in Beijing, China according to GeoIP, the host is listed as Chinanet Yunnan Province Network which is China Telecom’s (3rd biggest mobile telecom provider in China) internet service. This would link it circumstantially to the previous attack, and therefore to a number of other related attacks as detailed in our previous post.
Filed Under: Phishing