Sunday, October 16, 2011

Twitter Phish

This morning I checked my Gmail Spam folder and found this message:

I looked at the headers
:
Delivered-To: netscammers@gmail.com
Received: by 10.229.238.129 with SMTP id ks1cs22539qcb;
        Sat, 15 Oct 2011 19:36:09 -0700 (PDT)
Received: by 10.68.22.36 with SMTP id a4mr27500607pbf.80.1318732568273;
        Sat, 15 Oct 2011 19:36:08 -0700 (PDT)
Return-Path: <dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>
Received: from ham-cannon.twitter.com (ham-cannon.twitter.com. [199.59.148.230])
        by mx.google.com with ESMTP id d6si11731607pbw.115.2011.10.15.19.36.07;
        Sat, 15 Oct 2011 19:36:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com designates 199.59.148.230 as permitted sender) client-
ip=199.59.148.230;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com designates 199.59.148.230 as
permitted sender) smtp.mail=dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com; dkim=pass header.i=@twitter.com
X-DKIM: Sendmail DKIM Filter v2.8.2 1878413861.twitter.com B70E36BD917C
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=twitter.com; s=dkim;
 t=1318732567; i=@twitter.com; bh=ZjBfBfxqWvFuogB4SWW35pMhpNI=;
 h=Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:
  List-Unsubscribe;
 b=GhGE6cQMtQ7VKz4fohFHla0ZGu2Ccgi52jMuWtKFFL2oTQbasDvcLxlJx1GvAwLGE
  kl9ljvVSUOEnpGB5XyEEaFOWc6M+I1M9Y+jUdyKqA9RIOiQBPI/plUdcE/ssiOYn40
  7RJkh5w/rspsBWCm/uIlCaKz/187kEEzMnElFF3Q=
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 1878413861.twitter.com B70E36BD917C
DomainKey-Signature: a=rsa-sha1; s=default; d=twitter.com; c=simple; q=dns;
 h=date:from:reply-to:to:subject:mime-version:content-type:
 x-twitterimpressionid:list-unsubscribe:errors-to:bounces-to;
 b=CgnLv25e1JGid3p2T4V5dnwHQD1ZUAU3MG1AwnE/EVuk+BfQOvAL9sOyHvwozEXYg
 yN8nX0i71SMR+vH8IzngA==
Date: Sun, 16 Oct 2011 02:36:07 +0000
From: Twitter <dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>
Reply-To: noreply@postmaster.twitter.com
To: netscammers@gmail.com
Message-Id: <4e9a4317b5c17_c33bf7222988230f0@1878413861.twitter.com.tmail>
Subject: Here & Now (@hereandnow) has sent you a direct message on Twitter!
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=mimepart_4e9a4317b62d5_c33bf72229882316e
X-Twitterimpressionid: am-18336062913187325677065615
List-Unsubscribe: <http://twitter.com/account/unsubscribe?code=zrFWuehpt16C4oYGorPJ2o3pLQeesC8t&iid=am-18336062913187325677065615&nid=22+list-
unsubscribe&t=dm&uid=111657563&utm_content=optout>
Errors-To: Twitter <dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>
Bounces-To: Twitter <dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>

I checked my Twitter Messages and found this:

I did a Google Search and found this post:
http://www.gmanews.tv/story/235570/technology/new-twitter-phishing-attack-poses-as-reputation-alert

So:
Has hereandnow's Twitter account been hacked?
Yes, it was.
Its all explained here:
http://twitter.com/#!/hereandnow

Its the Twitter account for:
http://hereandnow.wbur.org/
(a show that features Robin Young, a crush from the days when I lived in Massachusetts ;))

The link in the fake Twitter message forwards the intended victim to the phishing website:
http://twittelr.com/verify/session/login/


The domain is actually twittelr.com


http://whois.domaintools.com/twittelr.com

Its hosted in China:

inetnum:      220.163.0.0 - 220.165.255.255
netname:      CHINANET-YN
descr:        CHINANET yunnan province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN
admin-c:      CH93-AP
tech-c:       CH93-AP
mnt-by:       MAINT-CHINANET
mnt-lower:    MAINT-CHINANET-YN
changed:      hostmaster@ns.chinanet.cn.net 20010711
status:       ALLOCATED NON-PORTABLE
changed:      hm-changed@apnic.net 20081210
source:       APNIC
person:       Chinanet Hostmaster
nic-hdl:      CH93-AP
e-mail:       anti-spam@ns.chinanet.cn.net   < send complaints here
address:      No.31 ,jingrong street,beijing  
address:      100032
phone:        +86-10-58501724
fax-no:       +86-10-58501724
country:      CN
changed:      dingsy@cndata.com 20070416
mnt-by:       MAINT-CHINANET
source:       APNIC

Here is another page on the phishing site twittelr.com :
http://twittelr.com/status/error/

The source code of that page includes this:
link rel="icon" href="http://26.media.tumblr.com/avatar_be75a538ccae_16.gif"/

A Google search leads here:
http://site-connect.net/info/mokelov.tumblr.com


This is scary:
https://safeweb.norton.com/report/show?name=twittelr.com



Oh! what a tangled web we weave When first we practise to deceive! Sir Walter Scott NEVER use instant payment services like Western Union or MoneyGram to buy items on the internet

0 comments:

Post a Comment