This morning I checked my Gmail Spam folder and found this message:
I looked at the headers
:
Delivered-To:
netscammers@gmail.com
Received: by 10.229.238.129 with SMTP id ks1cs22539qcb;
Sat, 15 Oct 2011 19:36:09 -0700 (PDT)
Received: by 10.68.22.36 with SMTP id a4mr27500607pbf.80.1318732568273;
Sat, 15 Oct 2011 19:36:08 -0700 (PDT)
Return-Path: <
dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>
Received: from ham-cannon.twitter.com (ham-cannon.twitter.com. [199.59.148.230])
by mx.google.com with ESMTP id d6si11731607pbw.115.2011.10.15.19.36.07;
Sat, 15 Oct 2011 19:36:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of
dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com designates 199.59.148.230 as permitted sender) client-
ip=199.59.148.230;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com designates 199.59.148.230 as
permitted sender)
smtp.mail=dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com; dkim=pass
header.i=@twitter.com
X-DKIM: Sendmail DKIM Filter v2.8.2 1878413861.twitter.com B70E36BD917C
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=twitter.com; s=dkim;
t=1318732567;
i=@twitter.com; bh=ZjBfBfxqWvFuogB4SWW35pMhpNI=;
h=Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:
List-Unsubscribe;
b=GhGE6cQMtQ7VKz4fohFHla0ZGu2Ccgi52jMuWtKFFL2oTQbasDvcLxlJx1GvAwLGE
kl9ljvVSUOEnpGB5XyEEaFOWc6M+I1M9Y+jUdyKqA9RIOiQBPI/plUdcE/ssiOYn40
7RJkh5w/rspsBWCm/uIlCaKz/187kEEzMnElFF3Q=
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 1878413861.twitter.com B70E36BD917C
DomainKey-Signature: a=rsa-sha1; s=default; d=twitter.com; c=simple; q=dns;
h=date:from:reply-to:to:subject:mime-version:content-type:
x-twitterimpressionid:list-unsubscribe:errors-to:bounces-to;
b=CgnLv25e1JGid3p2T4V5dnwHQD1ZUAU3MG1AwnE/EVuk+BfQOvAL9sOyHvwozEXYg
yN8nX0i71SMR+vH8IzngA==
Date: Sun, 16 Oct 2011 02:36:07 +0000
From: Twitter <
dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>
Reply-To:
noreply@postmaster.twitter.com
To:
netscammers@gmail.com
Message-Id: <
4e9a4317b5c17_c33bf7222988230f0@1878413861.twitter.com.tmail>
Subject: Here & Now (@hereandnow) has sent you a direct message on Twitter!
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=mimepart_4e9a4317b62d5_c33bf72229882316e
X-Twitterimpressionid: am-18336062913187325677065615
List-Unsubscribe: <
http://twitter.com/account/unsubscribe?code=zrFWuehpt16C4oYGorPJ2o3pLQeesC8t&iid=am-18336062913187325677065615&nid=22+list-
unsubscribe&t=dm&uid=111657563&utm_content=optout>
Errors-To: Twitter <
dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>
Bounces-To: Twitter <
dm-argfpnzzref=tznvy.pbz-86322@postmaster.twitter.com>
I checked my Twitter Messages and found this:
I did a Google Search and found this post:
http://www.gmanews.tv/story/235570/technology/new-twitter-phishing-attack-poses-as-reputation-alert
So:
Has hereandnow's Twitter account been hacked?
Yes, it was.
Its all explained here:
http://twitter.com/#!/hereandnow
Its the Twitter account for:
http://hereandnow.wbur.org/
(a show that features
Robin Young, a crush from the days when I lived in Massachusetts ;))
The link in the fake Twitter message forwards the intended victim to the phishing website:
http://twittelr.com/verify/session/login/
The domain is actually twittelr.com
http://whois.domaintools.com/twittelr.com
Its hosted in China:
inetnum: 220.163.0.0 - 220.165.255.255
netname: CHINANET-YN
descr: CHINANET yunnan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CH93-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-YN
changed:
hostmaster@ns.chinanet.cn.net 20010711
status: ALLOCATED NON-PORTABLE
changed:
hm-changed@apnic.net 20081210
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail:
anti-spam@ns.chinanet.cn.net < send complaints here
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed:
dingsy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC
Here is another page on the phishing site twittelr.com :
http://twittelr.com/status/error/
The source code of that page includes this:
link rel="icon" href="http://26.media.tumblr.com/avatar_be75a538ccae_16.gif"/
A Google search leads here:
http://site-connect.net/info/mokelov.tumblr.com
This is scary:
https://safeweb.norton.com/report/show?name=twittelr.com
Oh! what a tangled web we weave When first we practise to deceive! Sir Walter Scott NEVER use instant payment services like Western Union or MoneyGram to buy items on the internet
Leia Mais…