Video of Twitter phishing: The BZPharma ‘LOL this is funny’ attack

Graham Cluley
Graham Cluley
@[email protected]

Twitter users are being warned about a widespread phishing attack spreading across the system, designed to steal the usernames and passwords of unsuspecting members.

Messages include

Lol. this is me??
lol , this is funny.
Lol. this you??

followed by a link in the form of

Sign up to our free newsletter.
Security news, advice, and tips.

where ‘’ can vary. As we have seen many variations of the URL in its entirety, you would be wise to avoid clicking on any links which refer to at the very least.

Watch this YouTube video for more details:


Although Twitter has urged users to be vigilant about the threat being distributed via private direct messages, it’s clear that dangerous links are also being posted in public feeds. This means that you can stumble across the links even if you aren’t sent it directly, or even if you are not a signed-up user of Twitter.

It appears what is happening is that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message (DM) functionality and allow private messages to be sent to multiple users *and* optionally made public.

As a result, as you can see in the video above, we have found Twitter accounts that have warned their followers about the phishing attack, only to subsequently fall victim to it themselves!

Regardless of how you come to click on the dangerous link, if you do enter your username and password on the fake Twitter login page your details will be phished and placed in the hands of hackers.

Twitter phishing website on

The page then displays a “fail whale” screen, claiming that Twitter is over capacity, before taking you back to the real Twitter main page. As a result, compromised Twitter users may not realise that their login details have been stolen.

Interestingly, the site doesn’t just appear to have been set up for Twitter phishing. It appears to also have been created for stealing the online identities of the Bebo social networking site too:

Bebo phishing page on

If you have been tricked by the phishing attack and accidentally handed over your username and password, change your password immediately.

We’re going to see many more attacks against social networks in the future I’m afraid. Last month, Sophos published its Security Threat Report revealing that there had been an astonishing 70% rise in the number of users reporting spam and malware attacks via social networks in the last year.

Update: The phishing campaign appears to be bearing fruit for the hackers as they are now distributing spam selling herbal viagra from the compromised accounts. Learn more now.

Sophos at RSA

PS. If you’re attending the RSA Conference in San Francisco next month, please come and hear me talk about the growing problem of cybercrime on social networks.

I’ll be showing some live demonstrations of attacks and discussing how the problem has grown in the last year.

I’m also roped into giving regular presentations on the Sophos booth on the subject of social networking security, and I’m giving a conference paper “Web 2.0 Woe: Cybercrime on social networks” (Session ID: HT1-204 1pm, 3 March 2010).

I look forward to seeing some of you there.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.