UULPS! :0

twittergangs.info hosted by Russian hosting site 2x4.ru spreading latest Twitter phishing attack via Twitter DM and facebook.

This early afternoon when logging into twitter I realised that a message had been sent out to all my followers;

I quickly realised that it had to be a phishing attack. Clicking on took me to facebook.com app page for app “270454933073668” (@ http://apps.facebook.com/270454933073668/).

The app is named; “7236029” (facebook app info for this app https://graph.facebook.com/270454933073668). As you can see the creator left no information connecting it to themselves or their site, they use no image or icon hosted from anywhere.

Once the victim fills in the information on the facebook app “270454933073668” (the first screenshot) the information is posted to “n2.php” and the page takes the victim to (http://funson.twittergangs.info/tmb/zoom/newvideo.php the screeshot you see below);

At this point it doesn’t really matter that the links are all empty “#” or that nothing in the page is real and working or that the url is untrusted, by now you’ve already entered your twitter login details which has probably been saved on the attacker’s database.

Your login details will now be used to be compromised and send DM’s to all your followers with the same link.

There also however initially seems to have some hacking involved. I never entered my details and the app yet my twitter was compromised. This is something I am still investigating but it seems the attackers hacked into a couple of twitter accounts to get the “ball rolling” and send out the first couple of message.

Some info I gathered was that the twittergangs.info was a domain/hosting bought on Russian hosting site 2x4.ru (http://www.2x4.ru/index.php images below with less that 120 facebook likes yet claims 43,000 visits from Russia alone), the page http://twittergangs.info/ is an empty page with a message from the 2x4.ru hostig provider.

Using the subdomain “funson” takes to a page entitled “Vintages - Under construction theme” with comments all from September 14th (I suspect 1 day before their attacks)

A WHOIS check on twittergangs.info produced this;

Registrant:
ben hawkins
12353 sw 56 court
miami, Florida 33054
United States

Registered through: LuckyRegister - Cheap Domain Registration, Domain Hosting Services -
Domain Name: TWITTERGANGS.INFO
Created on: 15-Sep-12
Expires on: 15-Sep-13
Last Updated on: 15-Sep-12

Administrative Contact:
hawkins, ben ben_hawkins2@aol.com
12353 sw 56 court
miami, Florida 33054
United States
+1.3055236658

Technical Contact:
hawkins, ben ben_hawkins2@aol.com
12353 sw 56 court
miami, Florida 33054
United States
+1.3055236658

Domain servers in listed order:
NS1.2X4HOSTING.RU
NS2.2X4HOSTING.RU


Registry Status: CLIENT DELETE PROHIBITED
Registry Status: CLIENT RENEW PROHIBITED
Registry Status: CLIENT TRANSFER PROHIBITED
Registry Status: CLIENT UPDATE PROHIBITED
Registry Status: TRANSFER PROHIBITED
Registry Status: ADDPERIOD

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

This phishing attack seems successful because users are trained to see sites like facebook.com as totally legit and so seeing this as an app on facebook users don’t first suspect it as anything harmful, especially in all it’s twitter templated glory. However the facebook app is malcious sending the login details to their “n2.php” page where they can they use to login at any time they choose and do as they wish.

Warning still goes out to everyone to now click on this link, if you have entered your twitter login details then I advise you to change your twitter as soon as possible before more people are affected. I have now reported to facebook.com about this app and also contacted the 2x4.ru hosting service of this site and I believe that they will start to take actio. My followers were sent messages which might have affected them and I will make sure it does not happen again however I also hope this serves a purpose to remind people of the ever adaptable mind of a phisher.