If you're on Twitter, it may be a good idea to change your password this morning.
The site appears to have been hit by a phishing attack that could be used to steal a user's sensitive log-in information, according to reports on news sites and blogs.
Twitter has not commented on this incident; but, in a January blog post, site co-founder Biz Stone noted that some Web sites may be trying to masquerade as Twitter.com in an attempt to steal users' password information.
He encouraged Twitter fans to change their passwords on Twitter.com, and noted that they should be careful to check the site's URL to be sure they hadn't been led to a fake Web site that simply looks like it's Twitter:
"If you receive a direct message or a direct message e-mail notification that redirects to what looks like Twitter.com -- don't sign in. Look closely at the URL because it could be a scam," he said.
One common scam URL, the post notes, looks like this:
http://twitter.access-logins.com/login [Do not visit this link]
If you are directed to that fake site instead of http://twitter.com, Stone says not to enter your password. Look at the address bar in your Web browser to tell for sure.
The scope of the most recent phishing attack was unclear Tuesday morning. Bloggers, some of whom have posted photos of their correspondence with Twitter about the scheme, report that fake e-mails and direct messages on Twitter are being passed around to point people to phishing sites.
Online scammers increasingly are targeting social networks since they generally don't have the same kind of security protections in place as e-mail accounts, said Graham Cluley, a senior technology consultant at Sophos, a security company.
"This is the next generation of attacks, really," he said.
Cluley's company released a report on Monday saying that reported phishing schemes on social networks -- those that lure users to fake Web sites to steal their log-in information -- have increased in recent months. Nearly a third of 500 companies surveyed by Sophos reported to have been the victim of a phishing attack via a social network at the end of 2009, which was up from 21 percent that reported an attack in April of last year.
The goal of a phishing scheme is to lure a person to give away his or her password information, and then use that information to get sensitive info from a person's social network, he said.
Social networks allow phishing schemes to spread rapidly, Cluley said, because some people have very large online social networks, and because many people let third-party sites access their Twitter and Facebook accounts to offer additional services.
"There are Web sites out there that can offer you additional Twitter services," he said. "For example they may offer statistics about how often you're tweeting ... they may try to generate new followers for you. The service needs to somehow be able to log-in on your behalf to be able to do some of these things."
Those sites are dangerous, and Cluley said social networkers should not enter their password and user-name information on such sites. Only use third-party services that allow you to log in directly through the social networking hub, like Twitter.com, he said.
The site twitpic.com, for instance, requires users to give away their log-in information in order to share photos on Twitter, he said. A similar site called yfrog.com does not. It lets users log in through Twitter's main site.
CNET writer Rafe Needleman says it is safest for the Twitterati to log in to Twitter.com directly to change their passwords, instead of using third-party software like TweetDeck or twhirl.
"And to play it safe, double-check your browser address bar to make sure that's where you are," he writes.
The social media blog Mashable offers more safety tips:
"If you get a Twitter direct message today reading: 'check out this funny blog about you,' we advise you don't. The link leads to a fake Twitter login page that attempts to steal your Twitter login. Particularly susceptible to this attack are Twitter users who get their DMs [direct messages] delivered by email: it's perfectly natural to be prompted to log in after clicking through from your e-mail account."
And, rather ironically, that site says the phishing scheme could be a good thing for Twitter, since it means the site has enough users that it's economical for schemers to attack.
TechCrunch, another blog, says some people susceptible to attack may get an e-mail from Twitter with this statement:
"Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset. Please create a new password by opening this link in your browser: [PASSWORD RESET LINK]."
The site says such e-mails are legitimate and that users should go to Twitter.com to reset their passwords.
Reports: Phishing attack hits Twitter - CNN.com
The site appears to have been hit by a phishing attack that could be used to steal a user's sensitive log-in information, according to reports on news sites and blogs.
Twitter has not commented on this incident; but, in a January blog post, site co-founder Biz Stone noted that some Web sites may be trying to masquerade as Twitter.com in an attempt to steal users' password information.
He encouraged Twitter fans to change their passwords on Twitter.com, and noted that they should be careful to check the site's URL to be sure they hadn't been led to a fake Web site that simply looks like it's Twitter:
"If you receive a direct message or a direct message e-mail notification that redirects to what looks like Twitter.com -- don't sign in. Look closely at the URL because it could be a scam," he said.
One common scam URL, the post notes, looks like this:
http://twitter.access-logins.com/login [Do not visit this link]
If you are directed to that fake site instead of http://twitter.com, Stone says not to enter your password. Look at the address bar in your Web browser to tell for sure.
The scope of the most recent phishing attack was unclear Tuesday morning. Bloggers, some of whom have posted photos of their correspondence with Twitter about the scheme, report that fake e-mails and direct messages on Twitter are being passed around to point people to phishing sites.
Online scammers increasingly are targeting social networks since they generally don't have the same kind of security protections in place as e-mail accounts, said Graham Cluley, a senior technology consultant at Sophos, a security company.
"This is the next generation of attacks, really," he said.
Cluley's company released a report on Monday saying that reported phishing schemes on social networks -- those that lure users to fake Web sites to steal their log-in information -- have increased in recent months. Nearly a third of 500 companies surveyed by Sophos reported to have been the victim of a phishing attack via a social network at the end of 2009, which was up from 21 percent that reported an attack in April of last year.
The goal of a phishing scheme is to lure a person to give away his or her password information, and then use that information to get sensitive info from a person's social network, he said.
Social networks allow phishing schemes to spread rapidly, Cluley said, because some people have very large online social networks, and because many people let third-party sites access their Twitter and Facebook accounts to offer additional services.
"There are Web sites out there that can offer you additional Twitter services," he said. "For example they may offer statistics about how often you're tweeting ... they may try to generate new followers for you. The service needs to somehow be able to log-in on your behalf to be able to do some of these things."
Those sites are dangerous, and Cluley said social networkers should not enter their password and user-name information on such sites. Only use third-party services that allow you to log in directly through the social networking hub, like Twitter.com, he said.
The site twitpic.com, for instance, requires users to give away their log-in information in order to share photos on Twitter, he said. A similar site called yfrog.com does not. It lets users log in through Twitter's main site.
CNET writer Rafe Needleman says it is safest for the Twitterati to log in to Twitter.com directly to change their passwords, instead of using third-party software like TweetDeck or twhirl.
"And to play it safe, double-check your browser address bar to make sure that's where you are," he writes.
The social media blog Mashable offers more safety tips:
"If you get a Twitter direct message today reading: 'check out this funny blog about you,' we advise you don't. The link leads to a fake Twitter login page that attempts to steal your Twitter login. Particularly susceptible to this attack are Twitter users who get their DMs [direct messages] delivered by email: it's perfectly natural to be prompted to log in after clicking through from your e-mail account."
And, rather ironically, that site says the phishing scheme could be a good thing for Twitter, since it means the site has enough users that it's economical for schemers to attack.
TechCrunch, another blog, says some people susceptible to attack may get an e-mail from Twitter with this statement:
"Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset. Please create a new password by opening this link in your browser: [PASSWORD RESET LINK]."
The site says such e-mails are legitimate and that users should go to Twitter.com to reset their passwords.
Reports: Phishing attack hits Twitter - CNN.com
