This post concerns twitter, but even if you don't use it, the exact same method is used for banking scams, so have a read and keep yourself safe online.
Most people who have used Twitter will have experienced the direct message phishing scam. It's not new, it's been around for years and yet almost every day I have people send me these on as a result of falling foul to the scam.
Firstly, don't worry if you've been affected. All you have to do is change your password. It's not a nasty virus it's just a way of taking control of your account so the scam can self replicate. In fact I went through the scam for the purpose of obtaining screen shots, that's how harmless it is providing you don't give it your details.
Here's how it works. You'll receive a direct message like the following
Yep that's right, there's a picture of you on the internetz. Someone has written a blog about you. Someone is writing nasty facebook comments about you. There's a video of you on youtube, OMG you need to see this... You get the idea.
Click the link and you'll end up seeing the following page
Weird huh? You clicked on a link to what should have been an external site and now all of a sudden twitter has logged you out. But if you look closely at the address bar you'll realise that the website is not twitter at all.
It's something that looks like it says twitter, and let's be honest, most of us don't really check the address bar and even if we did at first glance your mind may well trick you. So we know now that we are on another website that has been made to look like twitter. They have even given it a similar address.
Enter something into the username and password, enter anything other than your actual username and password! Hit enter (or click sign in) and the following page will load.
So now we're on a 404 page, it doesn't matter what you enter for your username and password, you will always come to this page. The page will have an automatic redirect script built into it and when the page does reload it will take you back to twitter
When they do this for banking you'll enter your details again except this time you'll log in fine and you'll probably just think you made a mistake the first time. With the twitter scam you'll probably be already logged back in (because you were never really logged out) so you may twig or you may not.
So now you know. If you ever get one of those direct messages then either ignore it or better still, tweet the person who sent you the dodgy link and tell them to change their password.
Post a Comment