Don't fall for the "lol wat r you doing n this video" or the "heh u didnt see them tapping u" phishing scam on Twitter

I recently received two Twitter direct messages from new followers. They were obviously phishing attacks that happened as a result of the followers account being hacked. The messages were “lol wat r you doing n this video” and “heh u didnt see them tapping u” and contained links back to app on Facebook. What ever you do don’t click on the link in that direct message and don’t enter your Twitter credentials into the app that it redirects to on Facebook.com.

The link in the phishing attack redirects to this app on Facebook, which prompts you for your Twitter credentials.The page looks legit enough, but the first sign of a phishing attack is when they ask you for your credentials for another site. Facebook will never ask you for your Twitter credentials or any other site credentials for that matter. For those interested, Facebook uses OATH 2.0 for authentication and authorization, not embedded login pages.

(The Facebook.com page that the phishing attack redirects to)

Once the app has your credentials it hacks into your Twitter account and sends the same direct message that you got to all your followers. I’m not sure what else it does, but from that point on it has your Twitter credentials (until you change your password). Because many people use the same password for multiple sites it will probably get your email address and try to hack into your email as well.

Another hint that it is an attack is that the Facebook app doesn’t have an official name as you can see in the browser title bar. The title bar shows 12426907 on Facebook. “12426907” is the name of the App. That means that the person who created the app just used the default name or dumped some numbers in there to further obfuscate the attack.

The links on the apps pages post to this URL: http://wow.lmaotweetdeck.info/tmb/spu.php# which returns a 404 if you hit it directly and you get a dummy page if you load lmoatweetdeck.info. The WHOIS record for lmaotweetdeck.info belongs to a guy in Miami, FL, not a corporation. Another sign that the direct message is a phishing attack. Twitter’s API does allow you to make requests on behalf of users, but I personally would never enter my credentials for any site other than the originating site or a site I am 100% confident that it is legit.

Jon

Share