Not-For-Profit Phishing

A recent phishing scheme that targets users of Twitter (http://blog.twitter.com/2009/01/gone-phishing.html) may be related to a string of Web attacks against several high-profile celebrities and no doubt many other users. The most recent attacks apparently began when stolen credentials were distributed by a user on the Digital Gangster website. The noticeable result was a spontaneous defamation free-for-all, whereby the credentials were used to post humorous and sometimes vulgar messages on the compromised accounts. Some of the posts also redirected users to advertising websites.

This sort of activity is nothing new; however, it is interesting that the user gave out the credentials for free instead of selling them for a profit. As discussed in the recent Symantec Report on the Underground Economy, user credentials can be sold for a profit and the fact that some of the credentials were for high-profile celebrities would likely add to the value of such information. It could be that the person was only after credibility and enjoys the act of phishing but has no interest in keeping the catch. Sport-phishing, anyone?

Update

According to the (overlooked) Monday post on the Twitter Blog, the attacks on the celebrity accounts were not related to the phishing scam as was first speculated. A hacker gained unauthorized access to some of Twitter’s administrative support tools and subsequently used them to take control of 33 accounts. According to other sources, the hacker used a brute-force dictionary attack to determine the administrative password.a brute-force dictionary attack to determine the administrative password.

Twitter has addressed the issue, having restored the hacked accounts, and is currently undergoing a full security review to mitigate future attacks. As quoted from Twitter's Monday post, "We immediately locked down the accounts and investigated the issue.Rick, Barack, and others are now back in control of their accounts."