Twitter warned on Wednesday about a new phishing attack in which direct messages to users link to a fake log-in page that steals passwords.
"We've seen a few phishing attempts today; if you've received a strange (direct message), and it takes you to a Twitter log-in page, don't do it!" the Twitter spam warning says.
The direct messages say: "hi. this you on here? http://blogger.djh****.com," Sophos reports in a blog post. The full URL is obscured to prevent people from unwittingly visiting the phishing site.
Clicking on the link takes a user to a page that looks like a legitimate Twitter log-in page. When the user types in the username and password, a fake version of Twitter's "over capacity" message is displayed, with the image of the notorious "fail whale" held aloft by birds.
"When I visited the page, I was then slingshot to another Web page on Blogspot.com, claiming to belong to a blogger called NetMeg99," Sophos researcher Graham Cluley wrote. "It's not clear if NetMeg99 is involved in the phishing scam, but there is a suggestion that her Web page did also try to phish for credentials at one point."
If you have been duped by this phishing ruse, Sophos suggests that you immediately change your password at Twitter and any other sites where you used the same log-in credentials.