Twitter Gains Upper Hand on Latest Scam

29.06.2009

Sometimes, it seems scams are becoming almost as common as on . The latest one, unleashed Monday morning and initially noticed by tech blog , centers on a fake blog hosted at the domain twittersblogs.com. Tweets containing links to the site circulated rapidly, each featuring the message: "omg!! is it true what they wrote about you in their twit blog?"

Inside the Twitter Scam

Clicking on the twittersblogs.com link takes you to a page designed to look exactly like the real Twitter login page -- except, of course, it isn't. Entering your username and password simply puts your access information into the hands of the hackers, allowing them to login to your Twitter account and use it as they wish.

In this instance, it appears the site primarily used compromised accounts to spread the phishing links further. What, if any, broader goal was behind the effort is not yet clear.

Testing the Twitter Waters

As of this publication, Twitter has yet to mention the scam on its or . When I tested the twittersblogs site using a dummy account, however, the phishing tweet did not get sent (despite my having submitted the account's username and password).

What's more, the last tweet to contain the original message was sent several hours ago, suggesting that the Twitter team may have since blocked the site's efforts. Still, only the scam's spread has been stopped -- as of now, the links are still scattered throughout the Twitter network. Anyone belatedly clicking them and entering their information would still be compromising their account's security, even if the message isn't being actively retweeted.

The domain twittersblogs.com, for what it's worth, is registered to a "Matt Smith" in New York City, according to DNS records. Neither the phone number nor the address listed appears to be valid. The URL, it's also worth noting, is already being recognized by Google Chrome as a "suspected phishing site."

Fighting the Phishing

Twitter's dealt with plenty of times in the past. It's not alone, either: and are common targets of these tactics, too.

The good news, though, is that is simple: Be wary of where you click, and use extreme caution when giving out your password. If you don't see "twitter.com" in your browser's location bar, odds are, you aren't on the actual Twitter page. Surf back manually to twitter.com before divulging any of your details -- and, in doing so, keep your profile from falling into the wrong hands.

(See also: )

Connect with on Twitter () or via his Web site, .