Twitter Phishing Attack

Since last week, we’ve been tracking, analyzing and reporting a phishing attack on Twitter users. This attack demonstrates how many of the Twitter accounts have been hijacked and turned into spam vehicles for cyber criminals. Yet, the attack, initially, has nothing to do with Twitter.

CAUTION is encouraged when receiving any email that claims to be from Twitter, FaceBook or the Apple iTunes store. The threat is real, and documented.

clipped listing of Twitter phishing attack spam in the subject line window

Above you can see the SUBJECT lines of recent tracks. This is a clipped list, and you can see the expended list here if you like. As you can see we’ve been receiving two to four of these per day.

Earlier in April we reported on a cyber crime barrage against Apple’s App store. This attack is very similar. Of the domains we’ve tracked, the majority of them lead back to two sources in Florida, USA, through domains registered at GoDaddy. Some have been registered at foreign registrars, and even a few at rogue registrars, but most of the IP addresses and hosting leads a sordid trail back to Florida.

Let me preface this conversation with the fact that most domains are registered in forged or hijacked names, which don’t actually exist. So the actual criminal could be located anywhere in the world. We just don’t know. The SpamCop reports on the ‘sender’ of the email lists a different sender at different IP addresses in each spam. So we know the ciminal is using a sophisticated network of “senders” for the spam. We discredit those immediately. So the one reliable piece of forensic evidence is the actual IP address of the machine the target phishing / malware page is located on.

Here’s how it works – and what to do

When receiving an email that ‘claims’ to be from Twitter (or Facebook or other trusted online entities) HOVER, do not click — hover over the domain in the email. Then look down at the status line in the browser. (If you don’t see the status line, then you can turn it on using your browser’s ‘view’ configurations.)

In Twitter or Facebook email LOOK for the actual destination of the link

If the destination is different from http://www.twitter.com/ or has concatenations of tertiary domains and subdomains like http://twitter.com.speedealonline.com/ (don’t click) then you know it’s a cyber crime attack. Delete the email and always REPORT to Knujon, and FORWARD the spam to : lawenforcement at twitter.com. They need to know about this attack. Better yet, learn how to report it to SpamCop. This will add it to the black list, and get it blocked by the major internet hosts.

Another version, this one from Mexico -- yet leading back to Florida Above, you see the cyber criminal registered at GoDaddy, but hosted at an IP in Florida. Most of the phishing attacks follow this trend, although a few are located elsewhere. At right is an example where the cyber criminals registered at a registrar “NIC Mexico”, in Mexico. We did not track the name of registrant, because they’re usually forged — and besides, as I’ve written in other columns, ICANN puts you in a nonproductive loop when “reporting” bogus WhoIS registrations. (Even though they ask you to report.) Notice however that the target of the spam does, in fact lead to hosting located in Florida.

Through the week last week, we placed several calls and emails to Vortech Inc., in Florida, since they are the host of most of the attack spams — however there have been no responses to our voice mail messages or emails. We have also reported each and every instance to SpamCop, and they are listed in the block list — we got confirmations that both admins and abuse officers at Vortech, Inc. VTCI in Sanford FL had been alerted to the threat. Here we are on Thursday, over a week later and no action has been taken by Vortech.

ALWAYS LOOK BEFORE YOU CLICK. And if the link is unfamiliar, DO NOT CLICK. This is your first defense against the cyber crime community’s relentless jihad to extract your online accounts, passwords, and eventually your identity. Losses due to the broader issue of identity theft totaled $54 billion in 2009, up from $45 billion in 2008, according to estimates by Javelin Strategy and Research.