X

Twitter phishing scam may be spreading

Beware this bogus direct message: "Hey! check out this funny blog about you..."

Rafe Needleman Former Editor at Large
Rafe Needleman reviews mobile apps and products for fun, and picks startups apart when he gets bored. He has evaluated thousands of new companies, most of which have since gone out of business.
Rafe Needleman
2 min read

There's a scam spreading through Twitter. Direct messages (DMs) are showing up in Twitter accounts with appealing come-ons to visit a site on blogspot.com. The text is, "hey! check out this funny blog about you..." The URL in the message then redirects to a page that looks like the Twitter login page, but is actually not on Twitter--it's a site, twitter.access-logins.com, that masquerades as Twitter to steal your login credentials instead.

If you need to log in to Twitter, do it on Twitter.com itself. And to play it safe, double-check your browser address bar to make sure that's where you are.

The phishing site in question also appears to support the theft of Facebook IDs.

I have not received this bogus Twitter message, but the Twittersphere is abuzz over this scam.

This is not Twitter.

Read more on the Twitter Status blog, Chris Pirillo's blog, VentureBeat, or Mashable. Related: Koobface virus hits Facebook

Update: If you are logged in to the real Twitter.com, you'll now see an update about this scam on the page. No warning appears if you use another Twitter client, like Twhirl.

Update 2: The effect of getting taken in by this scam seems to be that affected accounts send messages to their followers with the original phishing message. To date, no other effect of falling victim to the scam has been reported. However, since many people use the same user ID and password for multiple online services, it's possible that credentials collected from this scam could be used to log in to other services, including financial sites.

As Twitter recommends on its blog: "If this has you feeling a bit weirded out, feel free to change your Twitter password."