By Jennifer LeClaire / Top Tech News. Updated January 05, 2009.
Twitter, the popular microblogging site, has become the latest target of phishers. The company is warning its members to be careful of messages that redirect them to spoofed Twitter sites in an attempt to steal their user names and passwords.
"This particular scam sent out e-mails resembling those you might receive from Twitter if you get e-mail notifications of your Direct Messages. The e-mail says something like, 'hey! check out this funny blog about you ...' and provides a link," the company said.
Twitter went on to explain that the link redirects users to a site masquerading as the Twitter front page. Twitter advised its members to look closely at the URL field to see if it has another domain besides Twitter, but looks exactly like the microblogging home page. That, the company said, indicates a fraud.
If You Get Twicked
E-mail, cell phones, Facebook and now Twitter all have something in common: They are being used by fraudsters for phishing attacks, observed Marian Merritt, Symantec's Internet safety advocate.
"The scam messages, just like the phishing e-mails and Facebook phishing attacks, seem to come from someone you know and appear to be personal," Merritt wrote in the Norton blog.
For members who have clicked the link and given up their Twitter password to the phishers, the company said it is possible for the phisher to send out direct messages on your behalf that could trick your followers. In those cases, Twitter said users should proactively reset the passwords of their accounts.
"If you find yourself unable to log in to your account with your user name and password, please use the reset password link to regain access. This will send an e-mail to the address associated with your account, and you'll be able to create a new password," the company advised.
Will the Real Twitter Please Stand Up?
Ken Dunham, director of global response for iSight Partners, said the phishers targeting Twitter have launched a straightforward attack -- but one that is hard to discern for many users.
"These attacks are designed to look like the real thing," Dunham said. "This looks very similar to the original Twitter. Someone who may not be a member but has heard of Twitter, or even someone who is a member, wouldn't necessarily think it's that suspicious."
User names and passwords are valuable to phishers, who use them to gain access to their victim's online banking sites or e-mail. Phishers can hijack an e-mail account and send out spam, Dunham said, or they could use it to get into online gaming accounts.
"People typically have one user name and password for many different accounts. It's human nature," Dunham explained. "The average person just wants to use their computer. They don't want to have to be an Internet security expert to log onto Twitter or anything else."
Dunham predicts it will become increasingly difficult for people to know whether Web sites they intend to visit are legitimate or spoofs. Phishing was one of the first 21st century threats to mature -- and it preys on consumers who can't tell what's legitimate and what's not.
"Even as an expert, it's sometimes difficult to tell the difference," Dunham said. "Many people don't pay attention to the domain name. If they get there and it looks right, they figure it must be the right place."