A wave of spammy direct messages on Twitter contain URLs leading to what appears to be a Twitter login page, but is actually a phishing site trying to pilfer user login credentials.
The ploy from the attackers in this campaign is a familiar one: “hey, someone is spreading nasty rumors about you [insert URLhere].”
Kaspersky Lab expert David Jacoby received two such messages, the second identical to the first in every way except that the someone in question was spreading ‘terrible rumors’ instead of ‘nasty rumors.’
Jacoby believes the two messages come from the same attacker or group of attackers, not only because of the similar wording, but also because both attacks led to fake Twitter logins with similarly constructed domain-names.
If an unwitting user does happen to enter their Twitter username and password they will be briefly redirected to a 404-type error page before they are routed back to the actual Twitter login page.
Jacoby claims that the attackers are likely using the stolen credentials to find more victims.
Similar attackers are targeting users on Facebook, as well. Whether the two campaigns are related remains unknown.
While methodologically similar, in the end, this attack is actually quite different from another direct message attack campaign we reported on in September. The attack from September linked to a site hosting a backdoor trojan while the newer one attempts to skim Twitter username-password combinations outright.