Nullvariable

TwitViewer – How to Identify a Twitter Phishing Site

by Doug on July 28, 2009

Trending on Twitter right now is a site called TwitViewer. The site makes the claim that you can see who the last 200 visitors to your profile on Twitter were. Thertwitviewer.nete’s a few problems with this claim and even more with the site.

Problem #1 they have no way to gather accurate stats unless they own hardware/software that Twitter is running on. The same applies to MySpace and Facebook. Unless you can host a picture or javascript file on these sites (easier to do with Facebook or MySpace but none of the apps that claim to show you your visitors really does that).

Warning Signs

#1 There’s no Feedback button, no help forums, no privacy policy, no contact page. In fact there’s only one link on the page at all.

#2 The only link on the page goes to a complete 50 offers to get a free iPhone scam page.

#3 The poor grammar in the opening line: “app to see who was the last 200 visitors.” Grammar and spelling issues are always a dead giveaway to me, scammers & spammers tend to either be kids in school or people that learned English as a second language (and/or can’t afford proof reading).

These two warning signs should keep anyone from entering their username/password.

Hopefully we’ll see TwitViewer shut down pretty soon since it’s clearly violating the Twitter Terms of Use but a new scam will be out there soon. Keep your eyes open and if in doubt just don’t do it!

What do you do if you do get phished by this site or a site like it? Change your password ASAP! Also it’s wise if you’re using a different password for your email at the very least. It’s hard to remember lots of passwords but keeping at least your bank and email on different passwords than the one you use for everything else will really help protect you online.

More:

Twitter Report Spam Script

How to Avoid Phishing Scams

Twitviewer is an app to see who was the last 200 visitors you had on your twitter page.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • email
  • Ping.fm
  • RSS
  • StumbleUpon
  • Twitter
  • Yahoo! Buzz
  • Warning sign #0: they want your Twitter login and password. Never EVER give your Twitter login or password to someone that isn't Twitter. If they're not using Oauth, they are scamming you.
  • sdfisher
    Twitter really has no defense if people are going to be stupid enough to type their username and password into a third party site. It's not like they're piggybacking on Twitter's authentication system, this is pure phish and out of Twitter's control.

    And it always will be.

    You have to be smart. The Internet is not a safe place that a company like Twitter can keep clean for you.
  • Agreed but OAuth still has issues and a lot of twitter users have become accustomed to entering their password on sites like Twitpic. Not exactly Twitter's problem but they should have started out using OAuth or something similar from the first. Wouldn't eliminate it but would make it a little less common. At least for Facebook scams they have to copy the Facebook login page verbatim. Scams like this can just look like a cool new app and people will fall for it.
  • sdfisher
    Oh, for sure, direct login is going to happen for a while. My point was just that other than talking to whoever happens to be hosting TwitReport and hoping... yes, hoping... they're reasonable, there's not much Twitter can do.

    (Of course, I'm *extra* skeptical of direct login sites.)
  • yeah, they can block the site from using the API but not from taking your password. There was some interesting stuff underneath that site going to other sites. Maybe Twitter can file spam black listing? or perhaps they could hit them with DCMA copyright infringement and get the site taken down?

    It's a problem that's not going to go away unless Twitter starts becoming less popular

Previous post:

Next post: