Phishing Scam Spreading on Twitter

A few minutes ago, I received a direct message from one of my twitter followers:

hey! check out this funny blog about you… jannawalitax . blogspot . com

And there’s another one:

Hey, i found a website with your pic on it… LOL check it out here twitterblog . access-logins . com / login

DO NOT VISIT the URL in question. It will redirect you immediately to a suspicious domain: twitter . access-logins . com – notice the subdomain? Worse yet, here’s what you’d see there right now:

Grabup Image

This is NOT the Twitter login page, and it smells completely phishy! Suggestion: do NOT log in to your Twitter account through any site other than This may go without saying, but consider how many third-party Twitter services you use? Seems it’s about time for some kind of verification / validation for applications using the Twitter API – so you can be sure you’re passing your credentials to the right people. I’m guessing this particular phishing scam is not using the API (but there’s no way for a user to properly verify).

This phishing domain appears to be registered in China, and I’m about to report ’em to OpenDNS (via

Organization : zhang xiaohu
Name : zhang xiaohu
Address : changningzhonghuainanlu192hao
City : changning
Province/State : Hunan
Country : CN
Postal Code : 421500

Please, tell your followers to NOT VISIT or LOGIN THROUGH that site! Watch out for these direct messages. If you did happen to visit one of the offending URLs, you should be safe so long as you didn’t try to log into your Twitter account there.

84 thoughts on “Phishing Scam Spreading on Twitter”

  1. so, how did you mange to find out that the scam was in china and wouldn’t windows users have some sort of phishing filter???

  2. Everyone reading this should visit this site in Firefox, and then click Help > Report Web Forgery. Soon the phishing block list will be updated so unsuspecting users will be warned of the danger.

  3. @SchmotGuy, in this case the phishers use the Twitter API to pass the login credentials along to the real The user ends up logged on to their legitimate Twitter account, but the phisher/middle-man copies username & password in the process. The victim’s only clue is the fake URL shown in Perillo’s screenshot (above).

  4. Thanks for the info πŸ™‚

    Best way to avoid these kind of situation is to not ‘follow’ everyone! Its just pointless as there is no way you can ‘really follow’ every single one of them..It just causes an information overload and makes this ‘useful service’ not so useful anymore..

    If you are not following that person, he shouldn’t be able to send you a DM….Right? So if you follow people carefully, you can actually control how much ‘spam’ you get.

    Following everyone is like away your home address to everyone you meet so that they can send you Junk.

    If someone has anything important to say to you, they should be able to send you a Public Msg – e.g. @username hay I need to talk to you.

    And then you can probably DM him your Email or just follow him for exchanging DMs.

  5. Thanks so much for alerting us, and for responding to my questions on behalf of friends who clicked on the link.

    *blows kisses*

    Lots of love to you,


  6. It now leads to a Facebook mock up. Odd change…

    1Password still prevents you from giving your information, and I would suggest that people start using Password Managers to avoid crap like this

  7. I completely agree with the comment by @Hans. I use 1password every day and it will catch things like this if you use the service. It is great for generating and storing your strong passwords and will let you know if you are visiting a site that is not the ligit log in site for I would also suggest that users change their default DNS server setting to OpenDNS. OpenDNS will also let you block phishing, and other material that you do now want on your local machine or entire network.

  8. You’d have to be a dumbass to click that link, a link to Blogspot, and then not notice you’ve been sent to Twitter. There’s no logical correlation between clicking a blogspot post, one that’s not even shortened even, and going to the Twitter homepage. This isn’t a big deal.

  9. Here’s the question of the day. Who thinks it’s a good idea to log in everywhere with your twitter credentials? This is kind of like facebook connect, no? In this case they’re faking that you’re on the Twitter site, so this does not really apply, but it amazes me how trusting the Twittersphere is.

  10. nmap says its doing lots of things

    21/tcp open ftp Muddleftpd
    22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
    25/tcp open smtp Postfix smtpd
    53/tcp open domain ISC BIND 9.2.4
    80/tcp open http Apache httpd 1.3.33 ((Unix) Resin/2.1.14 mod_throttle/3.1.2)
    110/tcp open pop3 Courier pop3d
    135/tcp filtered msrpc
    139/tcp filtered netbios-ssn
    445/tcp filtered microsoft-ds
    593/tcp filtered http-rpc-epmap
    3306/tcp open mysql MySQL (unauthorized)
    4444/tcp filtered krb524
    OS guesses: Linux 2.6.9 – 2.6.11

  11. @Ray I get that. But why is that Twitter’s fault? It’s a man-in-the-middle attack, nothing in particular about Twitter’s API being the problem per se. This is the downside of an open system. I’d rather have the open system.

  12. just added your story to tech and biz section with a link back here. Thanks for the heads up

  13. API has nothing to do with it… Even it does in fact use the API to do this (how do you know? Is it done via ajax right in the page?), there is NOTHING to stop them from just logging in the same way users do normally and returning information via screen-scraping or putting it in an iframe, etc. The fact is that if you have any sort of public-facing interface to a service it is vulnerable to this type of attack. Banks don’t have a twitter-style API, but they get phishing scams like this targeted at them, too. Inform, report, implement optional white/blacklists, etc., but don’t mistakenly blame the API!

  14. I’ve tweeted about this and it also inspired a blog post on my opinions on 3rd party apps and how they should be open source, so everybody wins! πŸ™‚

  15. Sounds rather like the “fanebook” scam that I encountered last summer. I went to their site knowing all along that it was a fake just to see what was there. I put in all kinds of fake stuff in the fields instead of my real info. Usernames like F***YOU and passwords like eatsh**anddie, you get the idea. It probably didn’t slow them down for a moment, but it was satisfying to stick it to them in a small way.

  16. My advice (not only for this situation): do not click anything unless it’s coming from someone you personally know, or better yet, unless you’re expecting a link from someone you personally know. In doubt, double-check with the sender if the link is safe to click. This is only if you know the sender personally.

    In the latest instances with Twitter, people are doing precisely the opposite – clicking links sent to them by complete strangers. Easy phishing prey.

  17. I went to the link, typed some bogus stuff, and got redirected to my already authenticated twitter account. Feel free to flood them with bogus info, their domain has no access to your cookies.

  18. Yeah, it’s the same thing that has been hitting people on Facebook. It’s 2009, and users will click on anything. Still.

  19. Twitter has lots of spam who still uses it seriosuly?

    I don’t use it anymore – I frequent a Porn forum and some spammers got my twitter information and started pouding me with messages and follow requests asking me to buy some sort of sick twitsted products.

  20. Thank you for saying this aloud. Recently, i get more tweet from unknow twitter accounts. I wonder if there is any way to filter those out (some of those accounts are already suspended). But at the same time, i do not wish Twitter to become the monitoring dog for every tweets

  21. A different Twitter scam? I have started getting email that (some random computer-generated name) is following me–when I click through to that “person’s” Twitter page they are following not even one Twitter person other than Betsythedevine, e.g. Awww, I feel so special. But wtf is that about?

  22. Chris; thanks for the warning, but its unfortunate that the message appears as a DM – a “secured message: so to speak. The link could also be disguised within a tinyurl (or similar) link hiding the destination completely.

    I think its wise not to type in passwords whenever you’re presented with a login screen; as you’ve shown. Always verify the site you are connecting with – if it looks suspicious close it, if in doubt contact the person that sent you the DM.

  23. I am a victim of the phishing DM’s and they are now using my twitter name. I unfortunately logged-in to the phishing and now they sending out DM’s from β€˜me’. I have sent out two messages to my contacts and sent back responses to those that have contacted me NOT LOGIN. I have also changed my password. I just want you to know I’m not doing it!

    It’s easy to get caught. I received an email and wasn’t logged into Twitter at the time. It seemed okay to login. I am so, so sorry now.

  24. Maybe I missed an update on this problem being fixed recently by Twitter… but considering I just got a DM with the phishing URL, I think it hasn’t been taken care of.

    All twitter needs to do is to add a line of code on the DM form page that checks for blacklisted words, urls, etc. in the message.

    For example, if the message trying to be sent includes “” either:

    A. Don’t send the message at all and alert the user that the message contained malicious content.


    B. Send the message but strip the string and replace it with “malicious content removed.”

    *They can also continue to add blacklisted words and urls to this filter over time.

  25. I have just received my first spammy Twitter DM from *someone I know*! Apparently, the situation is more complex than I thought. Stay alert, folks!! Refrain from clicking on *any* DM links (even if the message came from a trusted contact/follower). Double-check with the sender first.

  26. Pingback: Got Hacked?
  27. I often check out DNS records to see where phishing attacks and spam are coming from. Been doing this for at least 10 years now. China is behind most of it and send phishing emails daily. (I get hundreds per day)

    Nothing is ever done to stop them and I doubt authorities here can or will do anything about it because as you know just about every product we use in North America comes from China. (smallwares)

    The solutions are really fairly simple but that would mean ICAAN would have to take action and we all know that will never happen! These scammers and spammers are all buying their domains from an ICAAN approved outfit. You and anyone else can easily trace domains back to a Chinese acredited register of domains. ICAAN has had thousands and thousands of complaints about this register but does not act.

  28. looks like the domain has been taken down. Bye bye baby. The amount of phishing websites coming live everyday is no doubtly increasing but my question is that is it really worth it hacking into someones twitter account? its not like u are hacking into someones bank account.

Comments are closed.