New (old?) Twitter password stealer making the rounds…

If you click a Twitter link and it sends you to a Twitter login page, beware… look closely at the address bar and ensure you’re actually at Twitter’s login page and not a thieving imposter’s page!

Recently a friend on Twitter sent a link as part of a message:

Look! it’s you in this picture.. [along with a tinyurl link]

Other variants of this exist, such as “you’ll laugh when you see this pic of you [along with a tinyurl link]“.

Turns out, my friend’s account had been hijacked. (Yes, it really was a friend… I’ve seen this before with Twitter and other sites but it looks identical to an attack I saw about a month ago).

In this case, the bogus link went to a subpage on itwittiler.com (IP address 220.164.140.252), a domain registered in China¬†– earlier today! The page looks like Twitter’s login page but it’s not. In fact, I sandboxed it and entered a bogus username/password to see if it’d redirect to Twitter no matter what was entered. No… it redirected me to a “StalkTrak” page, clearly malformed and totally bogus. Read this Sophos security article for more info.

Another subpage (found via some searching online) does redirect to Twitter, but to a user who doesn’t exist. In all cases, the first page you go to looks just like the Twitter login page (there are some subtle yet sloppy differences, but next time there might not be.)

It’s quite likely the page is harvesting credentials along the way. If you get stung, go to the real Twitter homepage and reset your password pronto (after closing your browser windows).

More info on itwittiler.com, via whois:

Domain Name: ITWITTILER.COM
Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD
Whois Server: whois.55hl.com
Referral URL: http://www.55hl.com
Name Server: DNS5.4CUN.COM
Name Server: DNS6.4CUN.COM
Status: ok
Updated Date: 13-aug-2011
Creation Date: 13-aug-2011
Expiration Date: 13-aug-2012

Update: Another StalkTrak spam domain made the rounds last month: itiwitter.com. Surprise! It’s registered to the very same registrar! Judging by the same subpage structure I strongly suspect it’s the very same scammer using the very same site (or site structure)… while the IP address won’t resolve, it turns out this site’s for sale! And the IP address when last they checked? 220.164.140.252. Isn’t that special?

Domain Name: ITIWITTER.COM
Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD
Whois Server: whois.55hl.com
Referral URL: http://www.55hl.com
Name Server: DNS5.4CUN.COM
Name Server: DNS6.4CUN.COM
Status: clientHold
Status: clientTransferProhibited
Updated Date: 20-jul-2011
Creation Date: 15-jul-2011
Expiration Date: 15-jul-2012

Still more information can be found on this site, which talks about the same scam (back before the scammers changed domain names and came back from the “dead”).

1 Comment


  1. Yet another domain name used by these impostors is twittejr.com.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.