Last time I posted about Did you see the pic of lol Twitter direct message and how it leads to a phishing attack. Today I encountered a new variant of such a spam which also leads to a phishing attack. Before we continue I strongly recommend to read Did you see the pic of lol Twitter direct message leads to a phishing attack article
The new variant is "Have you seen of you ? Lol" .This is spreading in twitter as direct messages .I also got the same with a shortened url.
When you click on the link you are redirected to a fake Twitter login page which says that your session has expired so please login again.Which is really convincing for an average user.The actual url hidden behind this shortened one is http://twlilter.com/relogin/k1/?session_error=yhzq
On a closer examination of the tvitter.com and twlilter.com we can see a lot of similarities and certain differences.
First of all in this the spammers used a different domain name. Previously it was http://tvitter.com but now they are using a new domain name called http://twlilter.com
You can see a major difference in the interface of the two phishing pages.The tvitter.com used a clean blue background and a much promising interface which has a great resemblance of the actual twitter page.But in this case they are using a page which looks more suspicious and with a less resemblance to the actual twitter login interface.But this is enough to trick a user who is not aware about the spams and phishing attacks.
I provided a fake username and password to see what happens.The username and password provided is posted to http://twlilter.com/relogin/k1/twlogin.php where my credentials are saved. After saving the provided username and password the page redirected me to the url https://twitter.com/oauth/authenticate.
In tvitter.com after receiving the username and password they were redirecting us to the twitter.com home page but this time it is to https://twitter.com/oauth/authenticate page.
In spite of these slight differences in the interface and redirections the ultimate goal of both the spams is to steal your twitter account credentials, in which they will succeed if you give your twitter credentials in these pages.
I believe both Did You See the Pic of You ? LOL and Have You seen You ? Lol spams are from the same cyber criminal group. The are several reasons to believe this.
First of all tvitter.com domain is no more available or blocked .So this can be a new campaign launched by them.Secondly both these spams use the same strategy and methods.
I have also checked the domain registration details of both tvitter.com and twlilter.com both are registered from Shanghai China. Of course, this information will be fake. But while considering the geolocation of the both the registration ,the pattern of the message used and the method of the phishing , we can assume that both the domain is owned by the same group.
As I said in my earlier post Did you see the pic of lol Twitter direct message leads to a phishing attack always check the url before giving your login credentials and also make sure that you have https not http in the url.