A Quick Look at the Twitter Phish Rotating through Domains

A Twitter phishing scheme is spreading its wings, as the previous couple of phishing domains used by this scheme late last week have been taken down. So its operators have decided to put up multiple effective domains. Here are a couple of things to look for.

When you are using a browser like Google Chrome and you are visit, the browser displays a green url indicator that the domain has been verified by an extended SSL CA. Now, with the CA breaches that we’ve seen in the past year (the Diginotar breach report was finalized this past week), that may not mean everything. But, in this case, here is how you might verify that you are using the legitimate twitter site:

This Direct Message attracts phish with a dramatic notice: “Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on here”. There are a handful of messages in use, as the GFI guys mentioned here last week.

If you were to click on that shortened link, your browser will be redirected through a click tracking service:


And on to the unverified, carefully selected domain. At first glance, this one almost looks like the twitter domain itself:

Do not enter your username and password at this site. Also, there are at least a half dozen other domains that look fairly close to “”, like this one. These guys are using all of them with the same page and graphics to tempt you into entering your credentials. This theft can be a risk if you re-use your passwords across accounts. Also, there is often other personal information within these twitter accounts, like the user’s email address used to create the Twitter account. So please keep an eye out for this sort of play on word recognition-domains.

A Quick Look at the Twitter Phish Rotating through Domains

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox