Sunday, October 16, 2011

Twitter Phish

This morning I checked my Gmail Spam folder and found this message:

I looked at the headers
Received: by with SMTP id ks1cs22539qcb;
        Sat, 15 Oct 2011 19:36:09 -0700 (PDT)
Received: by with SMTP id a4mr27500607pbf.80.1318732568273;
        Sat, 15 Oct 2011 19:36:08 -0700 (PDT)
Return-Path: <>
Received: from ( [])
        by with ESMTP id d6si11731607pbw.115.2011.;
        Sat, 15 Oct 2011 19:36:08 -0700 (PDT)
Received-SPF: pass ( domain of designates as permitted sender) client-
Authentication-Results:; spf=pass ( domain of designates as
permitted sender); dkim=pass
X-DKIM: Sendmail DKIM Filter v2.8.2 B70E36BD917C
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple;; s=dkim;
 t=1318732567;; bh=ZjBfBfxqWvFuogB4SWW35pMhpNI=;
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 B70E36BD917C
DomainKey-Signature: a=rsa-sha1; s=default;; c=simple; q=dns;
Date: Sun, 16 Oct 2011 02:36:07 +0000
From: Twitter <>
Message-Id: <>
Subject: Here & Now (@hereandnow) has sent you a direct message on Twitter!
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=mimepart_4e9a4317b62d5_c33bf72229882316e
X-Twitterimpressionid: am-18336062913187325677065615
List-Unsubscribe: <
Errors-To: Twitter <>
Bounces-To: Twitter <>

I checked my Twitter Messages and found this:

I did a Google Search and found this post:

Has hereandnow's Twitter account been hacked?
Yes, it was.
Its all explained here:!/hereandnow

Its the Twitter account for:
(a show that features Robin Young, a crush from the days when I lived in Massachusetts ;))

The link in the fake Twitter message forwards the intended victim to the phishing website:

The domain is actually

Its hosted in China:

inetnum: -
netname:      CHINANET-YN
descr:        CHINANET yunnan province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN
admin-c:      CH93-AP
tech-c:       CH93-AP
mnt-by:       MAINT-CHINANET
mnt-lower:    MAINT-CHINANET-YN
changed: 20010711
changed: 20081210
source:       APNIC
person:       Chinanet Hostmaster
nic-hdl:      CH93-AP
e-mail:   < send complaints here
address:      No.31 ,jingrong street,beijing  
address:      100032
phone:        +86-10-58501724
fax-no:       +86-10-58501724
country:      CN
changed: 20070416
mnt-by:       MAINT-CHINANET
source:       APNIC

Here is another page on the phishing site :

The source code of that page includes this:
link rel="icon" href=""/

A Google search leads here:

This is scary:

Oh! what a tangled web we weave When first we practise to deceive! Sir Walter Scott NEVER use instant payment services like Western Union or MoneyGram to buy items on the internet


Post a Comment