Hundreds of Twitter accounts were hijacked this past weekend by a new cyber attack apparently aimed at twenty-something men.

The lure was a tweet encouraging users to chat with a 23 year old woman with a Web cam: “Hey! 23/Female. Come chat with me on my Web cam thingy here.” The tweet included a link to an Web site unconnected with Twitter.

But clicking on the link took unsuspecting Twitter users to a phishing site, as Rik Ferguson reported in his Trend Micro security blog…

Obviously we recommend against clicking on this link, it leads to a porn Web cam portal which looks to have been designed with credit card harvesting in mind. Affected users should change their password to a secure one as soon as possible (see today’s earlier blog entry for advice).

It is unclear how the mass compromise occured, although with Twitterers willingness to enter their Twitter username and password into any number of third-party Web sites offering Twitter related services, the opportunities for cybercrime are many.

Twitter got the problem under control in about two hours, reporting in their own blog that some 750 users had been effected and warning users to observe good password protection habits…

As a general reminder, keep in mind that strong passwords can help prevent hijacked accounts. Twitter offers a password strength indicator to help you choose a strong password when you sign up. If you want to change your password now you can do that here. Also, avoid sharing your password with folks or services you don’t feel you can trust.

…Which is good advice for anyone who belongs to any social networking community.

2 Responses to New gimmick hijacks Twitter accounts

  1. Evolving Squid
    Mar 09, 2009

    Simple rule: Don’t talk to women with webcams that you don’t know.

    Follow that rule, and so many phishing and other scams are instantly thwarted, irrespective of how lame your password might be.

  2. Eric Jacksch
    Mar 09, 2009

    Part of the problem is that Twitter users love third party apps. Instead of a secure access API like other sites, you have to give the app (web or local software) your Twitter userid and password. So, if you set up what looks like a really cool new web app and ask people for their twitter username and password, you’ll get at least some.

Leave a Reply