Twitter "LOL is it you?" spam/phishing attack - what to do if you are affected.

Twitter is facing another round of phising attack. This time again in the well known "lol is it you" format.

This spreads like a viral only through infected accounts. Once a person is tricked into clicking a link that he gets as a direct message, he is presented with a false twitter login. The person gives in his twitter username and password and then the malware sends out similar direct message to the infected person's followers.

I got one such dm yesterday from one of my friend. When another dm came from the guy today, I told him that most probably his account has been compromised. He did whats the right thing to do. Change his password. Right now this malware is not known to change the password.

A sample dm received from an infected account:

"Lol. this you?? http://easyhair.net/?rid=http://twitter.verify.bzpharma.net/login"

Dont click on the link.

The affected accounts are now being used to send direct spam links like

"free get bigger and have sex longer, go here http://bedfordhealth.com/?rid=http://callbling.com"


What to do if you ve entered your twitter password on such a site?

So what to do if your twitter account is sending out such direct messages?

Immediately login to https://twitter.com/login and change your password. Do not click on any link to go the twitter site. Thats why I ve not linked the twitter url above. Type it yourself in the address bar:

https://twitter.com/login

After logging in, click on settings in right hand top corner.
In the settings page, go to Password tab (second from left) and change your password.

What to do if you receive such dms from someone you follow.

You can tweet @yourfriendname telling him you are getting dms from his account. That ways rest of your followers will also come to know that a particular account is infected.

example of a tweet you can send @yourFriend

@friend ur account is hacked/infected. getting dm s from ur acc. plz check/change ur passwd.

The fact that the second dm doesnt ask for your twitter username password says that this attack is being used simple for spamming purpose, atleast till the time being.

This attack doesn't misuse any twitter vulnerability but rather the social vulnerability that even google cant avoid - phising.

Most of the browsers now warn you when you click on such links. You are presented with a screen like this in firefox:

Opera goes a step ahead and shows a fraud site message in the address bar even if you proceed to the site.

However one step where opera fails from firefox is that once I click on proceed in opera, it saves that in preferences and doesn't show the warning again. Whereas firefox shows the warning every time you click on the link. Despite you agreeing to visit the malicious site. I think Firefox's way is better than Opera's. For two reasons:

  • Even if I ve agreed to proceed to a malicious site once, it should still warn me. There could be a explicit checkbox that dont ever show me this warning for this site, but till then firefox's way is better.
  • In cases where people share computers/sessions in same browser, the second user will never get to see the warning page in Opera. Even though the fraud warning is there in address bar, he might still miss it.

You can read more about the twitter attack on this article on mashable, from where I partly picked up the heading.

PS: I picked up the original pic used right in the beginning from sitebuildertips.com

Written on February 22, 2010