Sunday, October 16, 2011

Twitter Phish

This morning I checked my Gmail Spam folder and found this message:

I looked at the headers
:
Delivered-To: netscammers@gmail.com
Received: by 10.229.238.129 with SMTP id ks1cs22539qcb;
        Sat, 15 Oct 2011 19:36:09 -0700 (PDT)
Received: by 10.68.22.36 with SMTP id a4mr27500607pbf.80.1318732568273;
        Sat, 15 Oct 2011 19:36:08 -0700 (PDT)
Return-Path: <dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>
Received: from ham-cannon.twitter.com (ham-cannon.twitter.com. [199.59.148.230])
        by mx.google.com with ESMTP id d6si11731607pbw.115.2011.10.15.19.36.07;
        Sat, 15 Oct 2011 19:36:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com designates 199.59.148.230 as permitted sender) client-
ip=199.59.148.230;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com designates 199.59.148.230 as
permitted sender) smtp.mail=dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com; dkim=pass header.i=@twitter.com
X-DKIM: Sendmail DKIM Filter v2.8.2 1878413861.twitter.com B70E36BD917C
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=twitter.com; s=dkim;
 t=1318732567; i=@twitter.com; bh=ZjBfBfxqWvFuogB4SWW35pMhpNI=;
 h=Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:
  List-Unsubscribe;
 b=GhGE6cQMtQ7VKz4fohFHla0ZGu2Ccgi52jMuWtKFFL2oTQbasDvcLxlJx1GvAwLGE
  kl9ljvVSUOEnpGB5XyEEaFOWc6M+I1M9Y+jUdyKqA9RIOiQBPI/plUdcE/ssiOYn40
  7RJkh5w/rspsBWCm/uIlCaKz/187kEEzMnElFF3Q=
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 1878413861.twitter.com B70E36BD917C
DomainKey-Signature: a=rsa-sha1; s=default; d=twitter.com; c=simple; q=dns;
 h=date:from:reply-to:to:subject:mime-version:content-type:
 x-twitterimpressionid:list-unsubscribe:errors-to:bounces-to;
 b=CgnLv25e1JGid3p2T4V5dnwHQD1ZUAU3MG1AwnE/EVuk+BfQOvAL9sOyHvwozEXYg
 yN8nX0i71SMR+vH8IzngA==
Date: Sun, 16 Oct 2011 02:36:07 +0000
From: Twitter <dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>
Reply-To: noreply@postmaster.twitter.com
To: netscammers@gmail.com
Message-Id: <4e9a4317b5c17_c33bf7222988230f0@1878413861.twitter.com.tmail>
Subject: Here & Now (@hereandnow) has sent you a direct message on Twitter!
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=mimepart_4e9a4317b62d5_c33bf72229882316e
X-Twitterimpressionid: am-18336062913187325677065615
List-Unsubscribe: <http://twitter.com/account/unsubscribe?code=zrFWuehpt16C4oYGorPJ2o3pLQeesC8t&iid=am-18336062913187325677065615&nid=22+list-
unsubscribe&t=dm&uid=111657563&utm_content=optout>
Errors-To: Twitter <dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>
Bounces-To: Twitter <dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>

I checked my Twitter Messages and found this:

I did a Google Search and found this post:
http://www.gmanews.tv/story/235570/technology/new-twitter-phishing-attack-poses-as-reputation-alert

So:
Has hereandnow's Twitter account been hacked?
Yes, it was.
Its all explained here:
http://twitter.com/#!/hereandnow

Its the Twitter account for:
http://hereandnow.wbur.org/
(a show that features Robin Young, a crush from the days when I lived in Massachusetts ;))

The link in the fake Twitter message forwards the intended victim to the phishing website:
http://twittelr.com/verify/session/login/


The domain is actually twittelr.com


http://whois.domaintools.com/twittelr.com

Its hosted in China:

inetnum:      220.163.0.0 - 220.165.255.255
netname:      CHINANET-YN
descr:        CHINANET yunnan province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN
admin-c:      CH93-AP
tech-c:       CH93-AP
mnt-by:       MAINT-CHINANET
mnt-lower:    MAINT-CHINANET-YN
changed:      hostmaster@ns.chinanet.cn.net 20010711
status:       ALLOCATED NON-PORTABLE
changed:      hm-changed@apnic.net 20081210
source:       APNIC
person:       Chinanet Hostmaster
nic-hdl:      CH93-AP
e-mail:       anti-spam@ns.chinanet.cn.net   < send complaints here
address:      No.31 ,jingrong street,beijing  
address:      100032
phone:        +86-10-58501724
fax-no:       +86-10-58501724
country:      CN
changed:      dingsy@cndata.com 20070416
mnt-by:       MAINT-CHINANET
source:       APNIC

Here is another page on the phishing site twittelr.com :
http://twittelr.com/status/error/

The source code of that page includes this:
link rel="icon" href="http://26.media.tumblr.com/avatar_be75a538ccae_16.gif"/

A Google search leads here:
http://site-connect.net/info/mokelov.tumblr.com


This is scary:
https://safeweb.norton.com/report/show?name=twittelr.com



Oh! what a tangled web we weave When first we practise to deceive! Sir Walter Scott NEVER use instant payment services like Western Union or MoneyGram to buy items on the internet

Leia Mais…