There is an ongoing phishing attack playing out right now on the Tumblr network and it already has succeeded in stealing the login credentials of several thousand users, according to researchers who have been following the activity. The attack relies on a fake login page and some promises of free adult content, which have proven to be more than enough incentive for thousands of victims to give up their usernames and passwords.
The current phishing attack uses Tumblr accounts that had been compromised previously and are being used as platforms to serve visitors with a fake login page that claims to be a gateway to age-restricted adult content, according to researchers Christopher Boyd and Jovi Umawing of GFI Labs, who have looked into the scam. The hijacked page tells users that they need to enter their Tumblr credentials in order to access the adult content. Once they do so, the cycle begins again, with that user’s page being hijacked.
The attack apparently centers on three specific domains: tumblrlogin dot com, tumblriq dot com and tumblrsecurity dot com, all of which obviously are fakes. The domains are fairly new, having been registered within the last two weeks or so, and are being run from free hosting services, the researchers said.
“If ever a scam page had a name that implied you should do the exact
opposite of what it suggested, it would be that one. The problem has
become so pervasive that regular Tumblr users are setting up dedicated anti phishing sites to advise users of the problem. One of these sites
actually pointed us in the direction of one of the dropzones used for
the stolen logins, and the problem does indeed seem to be out of control
at this point,” Boyd and Umawing wrote in their analysis of the Tumblr phishing scam.
“The data we saw contained 8,200 lines of text stretched across 304 pages
of Microsoft Word, and even accounting for the inevitable duplicates
and fake data that’s still quite the goldmine of pilfered login
credentials.”
Tumblr is a blogging platform that combines some of the elements of traditional blogging and the follow-me, follow-you ethic of Twitter. It’s used often by media sites and others interested in sharing images, comics and other kinds of content.
The three fake domains used in the phishing scam are being blocked by Firefox right now as reported forgeries. Boyd and Umawing notified Tumblr of the attack and the details of what is going on, and it seems that the company already is aware of the situation. Tumblr has a boilerplate email response that’s being sent to users who email its support team about phishing issues. The email warns users never to enter their credentials on any site other than the main Tumblr page and to change their passwords immediately if they think they’ve been compromised.
Credentials for a site such as Tumblr might not seem to have much value to attackers, but because so many people re-use login credentials on multiple sites, compromising one set can often lead to the ability to own other accounts belonging to the victim. Simple phishing attacks on email services and on Twitter have yielded big returns for attackers in the past.