Phishing Scam Bursts Twitter's 'Trust' Bubble

No matter how nice your Net neighborhood is, eventually the scum of the earth will move in next door. And so it goes with Twitter.

The Twitteratti are all atwitter about a phishing scam that hit over the weekend. The phishing tweets came in the form of direct messages -- essentially private texts only Twitter friends can send and only you can see. Typically the message says something like "Hey, check out this funny blog about you" with a URL attached. The link takes you to a site that looks exactly like the Twitter log in, only the address is twitter.access-logins.com/login/.

If you fall for the trap and log in, they're off to the races with your Twitter name and password.

What good are Twitter log ons and passwords to your average dirtbag? As with email addresses and spam, the phishing scammers can use your identity to send tweets to your friends in order to drive them to Web sites. (The idea being that you'd trust people you know more than total strangers.) They might collect a few pennies from the site owner for each visitor, or the site could do a drive-by install of malware and absorb your machine into a bot network.

(If you use Internet Explorer and haven't updated lately, now would be a good time -- it's particularly vulnerable to this kind of attack. Microsoft issued an emergency patch to fix it roughly two weeks ago.)

The solution, per the Twitter blog, is simple. Don't log in. And if you suspect that your profile has already been stolen, use Twitter's 'reset password link,' which will send an email to the address on your account so you can conjure up a new password.

A second, unrelated scam demonstrates why evildoers would target Twitter users. As reported by the Threat Chaos blog, someone created at least 16 fake Twitter profiles attached to pictures of pretty women. All lead to the same Web site for a term life insurance broker in Charlotte, North Carolina, which serves up all the various reasons why you need term life insurance, even if you really don't. (Twitter has since nixed these phony accounts.)

As spam declines in effectiveness, scammers seek new ways to reach suckers. Twitter is now it. Next week it will be something else.

But what this means is Twitter has now officially emerged from its trust bubble. You can no longer innocently follow a link because some quasi-stranger tweeted it to you without being wary -- which means people will follow fewer and fewer links, making Twitter less and less effective.

But "Twitter phishing scam" is too clumsy a phrase. We need a new portmanteau. Twishing? Twitphishing? Something like that. Because this is far from the last we will see of this scam.

Have you been Twished? Post your thoughts below or email them to me: dan (at) dantynan (dot) com.

Dan Tynan tweets too much (and yet, not enough). When not wrestling with paradoxes he tends his blogs, Culture Crash and Tynan on Tech.