Thursday, February 25, 2010

Phishing Attempt

I thought I was careful enough to stay away from phishing websites. I was wrong.

My GMail inbox had one Twitter notification, a direct message from one of my medical school classmates. I had to check it out so I clicked on the link, which brought up my Twitter Direct Messages page (I had told Twitter to "Remember Me").

Image and video hosting by TinyPic

I clicked on the link and it brought me to (THIS IS A PHISHING SITE - DO NOT LOGIN WITH YOUR TWITTER LOGIN!) http://twitter.login.kevanshome.org/login/ . It looks like the familiar Twitter login screen, before a redesign. I obviously wasn't paying attention to that website when they rolled out the update. I didn't care because it was always set to be logged in on my home computer anyway so there was no chance to see the new Twitter login page.

I said to myself, "What the hell?! My Twitter session logged out. Better log in again to see what the fuss is about."

I know, it was sheer stupidity on my part knowing that the URL was not twitter.com. I was relying on Chrome's anti-phishing alert feature to inform me always. So I logged in.

It took me 30 seconds and a weird post-login screen to realize that I've been had.

It took me an hour to change different passwords on all the sites that I have a significant web presence. The Anatomy Of The Twitter Attack outlines how personal accounts of Twitter execs were hacked to obtain confidential information with the same elementary methods. Although I have been using a different password for some sites, someone can just use the Forgot Password process and a compromised account to be able to get access.

I sent a direct message through Twitter to my classmate that her message pointed me to a phishing site. It wasn't her fault, surely - it can happen to anyone.

I also reported the site using the reporting tool built into Chrome.

The Whois information about kevanshome.org reveals that the site is registered in China - maybe a spammer/email account harvester?
Domain ID:D157042268-LROR
Domain Name:KEVANSHOME.ORG
Created On:06-Sep-2009 07:34:50 UTC
Last Updated On:10-Nov-2009 14:03:03 UTC
Expiration Date:06-Sep-2010 07:34:50 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:7kkxo6fmgfrrz7
Registrant Name:Ken Evans
Registrant Organization:Ken Evans
Registrant Street1:Star Street
Registrant City:Shang Hai
Registrant State/Province:Shanghai
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.02142552594
Registrant FAX:+86.02142552594
Registrant Email:lixing688@gmail.com
Admin ID:7kkxo6fmgfrrz7a
Admin Name:Ken Evans
Admin Organization:Ken Evans
Admin Street1:Star Street
Admin City:Shang Hai
Admin State/Province:Shanghai
Admin Postal Code:100000
Admin Country:CN
Admin Phone:+86.02142552594
Admin FAX:+86.02142552594
Admin Email:lixing688@gmail.com
Tech ID:7kkxo6fmgfrrz7a
Tech Name:Ken Evans
Tech Organization:Ken Evans
Tech Street1:Star Street
Tech City:Shang Hai
Tech State/Province:Shanghai
Tech Postal Code:100000
Tech Country:CN
Tech Phone:+86.02142552594
Tech FAX:+86.02142552594
Tech Email:lixing688@gmail.com
Name Server:NS.XINNETDNS.COM
Name Server:NS.XINNET.CN
DNSSEC:Unsigned
Thank you "Ken Evans" for reminding me that I have to be always vigilant in surfing the web. That was one wakeup call! Too much worrying on Viva Voce sure made me complacent, stupid and lazy.

Friends, be vigilant so that your most cherished web presence does not get taken over by a spammer in China or anywhere else.

Updates: Trend Micro posted about this on their blog and they're saying that this is a new Twitter worm that can compromise your account. Read it here:
A New Twitter Worm Is Making the Rounds

Marah Marie reported about the main page (http://www.kevanshome.org/), which masqueraded as an AOL/Bebo login page here (see newest update below for its change to a MySpace login page):
Everything Else

Sophos reports this and has a YouTube video demonstration of the attack as well:
This you???? : Phishing attack hits Twitter users

As of February 25, 1012H (GMT +8) http://www.kevanshome.org/ is made to look like a fake MySpace page, below:

Image and video hosting by TinyPic

Note that it does not look like the current MySpace login page.

M86 Security Labs has some history on this phishing attack here:
Twitter "Phish and Spam" Campaign

2 comments:

Sippy Stuff said...

Thanks for posting!

Ray said...

Thanks for posting.. Wish I had seen it before I logged into the account to. Took about 5 seconds longer than you to realize I had been had too. Time to change a password or two. Luckily I didn't use the same ones on too many accounts.