Sunday, October 16, 2011

Twitter Phish

This morning I checked my Gmail Spam folder and found this message:

I looked at the headers
Received: by with SMTP id ks1cs22539qcb;
        Sat, 15 Oct 2011 19:36:09 -0700 (PDT)
Received: by with SMTP id a4mr27500607pbf.80.1318732568273;
        Sat, 15 Oct 2011 19:36:08 -0700 (PDT)
Return-Path: <>
Received: from ( [])
        by with ESMTP id d6si11731607pbw.115.2011.;
        Sat, 15 Oct 2011 19:36:08 -0700 (PDT)
Received-SPF: pass ( domain of designates as permitted sender) client-
Authentication-Results:; spf=pass ( domain of designates as
permitted sender); dkim=pass
X-DKIM: Sendmail DKIM Filter v2.8.2 B70E36BD917C
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple;; s=dkim;
 t=1318732567;; bh=ZjBfBfxqWvFuogB4SWW35pMhpNI=;
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 B70E36BD917C
DomainKey-Signature: a=rsa-sha1; s=default;; c=simple; q=dns;
Date: Sun, 16 Oct 2011 02:36:07 +0000
From: Twitter <>
Message-Id: <>
Subject: Here & Now (@hereandnow) has sent you a direct message on Twitter!
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=mimepart_4e9a4317b62d5_c33bf72229882316e
X-Twitterimpressionid: am-18336062913187325677065615
List-Unsubscribe: <
Errors-To: Twitter <>
Bounces-To: Twitter <>

I checked my Twitter Messages and found this:

I did a Google Search and found this post:

Has hereandnow's Twitter account been hacked?
Yes, it was.
Its all explained here:!/hereandnow

Its the Twitter account for:
(a show that features Robin Young, a crush from the days when I lived in Massachusetts ;))

The link in the fake Twitter message forwards the intended victim to the phishing website:

The domain is actually

Its hosted in China:

inetnum: -
netname:      CHINANET-YN
descr:        CHINANET yunnan province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN
admin-c:      CH93-AP
tech-c:       CH93-AP
mnt-by:       MAINT-CHINANET
mnt-lower:    MAINT-CHINANET-YN
changed: 20010711
changed: 20081210
source:       APNIC
person:       Chinanet Hostmaster
nic-hdl:      CH93-AP
e-mail:   < send complaints here
address:      No.31 ,jingrong street,beijing  
address:      100032
phone:        +86-10-58501724
fax-no:       +86-10-58501724
country:      CN
changed: 20070416
mnt-by:       MAINT-CHINANET
source:       APNIC

Here is another page on the phishing site :

The source code of that page includes this:
link rel="icon" href=""/

A Google search leads here:

This is scary:

Oh! what a tangled web we weave When first we practise to deceive! Sir Walter Scott NEVER use instant payment services like Western Union or MoneyGram to buy items on the internet

Leia Mais…