“Osama is alive CNN” Twitter Scam

Screenshot of a scam tweet message

A scam is doing the rounds on Twitter today that attempts to trick unsuspecting peeps into giving up their Twitter credentials.  This is a brief run down of the scam scenario…

Now whether Osama is kicking back in Tijuana at the sea side or whether he’s kicking around Davey Jones’ locker at the sea floor is not in question.  What is important is that CNN (or any other outlets to my knowledge) at this time have not posted any such news article and any links claiming as such are highly likely to be a scam!

The scam starts with any variation of a fake “Breaking News” type headline purportedly announced by CNN that Osama Bin Laden is alive and well.

The post includes a link that has been shortened to disguise the true target.  This one uses bit.ly but there are dozens of similar services.  The URL shortening services themselves are entirely legitimate and have many useful purposes, one of which is being able to include a link which would otherwise consume most of the 140 character limit in a tweet.

If you click the link (and to be fair, at this point there’s no reason to doubt it) you’ll get a screen looking something like this…

Screenshot of fake Twitter login page

At first glance it is very convincing and it’s understandable that many people would provide their username and password without hesitation.  But take a closer look at the address bar…

Address bar detail of the fake Twitter login page

The website in the address bar is “twitter.login12.w2c.ru” so if we start at the right (ignoring the web page bit of the address /relogin.php) and work backwards we see the actual website is “w2c.ru” and “twitter.login12.” has been added to trick people into thinking that the website they are looking at is really Twitter.  Sneaky!

Screenshot of linked YouTube video page

If you didn’t spot this and went on to type in your username (or email address) and password then you would be directed to a YouTube video of protesters claiming that Osama Bin Laden is still alive (the video has regional restrictions so it is not available in all countries, UK in particular).

Having tested this with a dummy Twitter account, there was no immediate message posted and my account was not taken over within a few minutes so the end game of this scam is unclear but the issue remains that you would have unwittingly handed over your Twitter login credentials to an unknown and probably malicious person.  They could take over your account, post messages under your identity and lock you out.

---

Mitigating this risk

Twitter settings menu

Twitter has an optional setting that can help to draw attention to problems like this but you have to opt-in and you’ll still need to pay attention.  From the drop-down menu under your username in the top right corner, select Settings.

Twitter HTTPS option

From there scroll to the bottom of the page and enable the tick-box for “HTTPS Only – Always use HTTPS”.  More and more websites are making a similar option available including Facebook and Hotmail.  (You don’t need to worry about the technical details but if you’d like to know more, let me know and I’ll do what I can but in brief the S stands for Secure and it forces your connection to Twitter to use SSL encrypted communications.)

What this will do as far as we’re concerned right now is add a visual validation that the website you’re looking at that says it is Twitter, really actually is Twitter.  As you can see below, my web browser now includes a green tag next to the address bar that verifies the website really is Twitter.  How this verification is displayed will vary between operating systems and web browsers but it should be quite.

Be wary though as some scam websites try to fake this as well but with a little experience you should learn to recognise it.  This type of verification will always be used with on-line banking and quite a few email services.  You’ll notice in the screen shots of the fake login screen further up that the address only started with “http://” instead of “https://” and there is no padlock symbol.

Twitter HTTPS address bar validation