A widespread phishing scam on microblogging service Tumblr has successfully captured the details of thousands of accounts, security outfit GFI Labs has claimed.
Christopher Boyd, a researcher at the anti-virus and anti-spyware specialist, claims to have worked with others to uncover a major phishing problem at Tumblr with thousands of victims to date. While the attack does not represent an active penetration of Tumblr's site security, it is surprisingly pervasive and has claimed thousands of accounts to date.
"The data we saw contained 8,200 lines of text," Boyd explains in a posting to his company blog (opens in new tab), "and even accounting for the inevitable duplicates and fake data that's still quite the goldmine of pilfered login credentials."
Although the attack started off as a simple attempt to hijack user accounts, those behind it have started to use those credentials to host their content on Tumblr itself. By spreading the content across the official Tumblr site and third-party domains with convincing names - like tumblriq.com, tumblrlogin.com, and tumblrsecurity.com - the attackers are able to lend an air of legitimacy to the pages that appear.
Users entering their credentials in the hopes of seeing adult content or to take part in an IQ test - ironically enough - will find their account credentials stolen, and likely perpetuate the problem by playing host to the content themselves.
Why Tumblr, which is a relatively small site compared to social networking giants such as Facebook, is targeted is a question to which there is no clear answer. "We can only guess," Boyd explains. "The stolen accounts could be used as some form of advert affiliate money-making scam, or maybe we could see lots of pages with survey popups pasted over them.
"There is the very real possibility that the Tumblr accounts are simply a way to test if those users are logging into other services with the same credentials - at that point, everything from email accounts to internet banking sites could be fair game."
It's a problem that Tumblr is aware of: users e-mailing the support department regarding the issue receive a lengthly auto-response in return, which explains the nature of fake log-in pages and the necessity of setting a new password if account details could have been leaked.
"Please rest assured that Tumblr is doing everything it can to address this issue," the note reads. "Thank you for taking the time to share your concern with us."
The third-party sites involved in the attack have been rendered inoperable at the time of writing - although that could change as the phishers find new hosts - and Tumblr has been alerted to the hijacked accounts in order to get the passwords reset and the attackers booted from the service.
The phishing attack on Tumblr users comes as world-wide spam levels over e-mail remain at a surprisingly low volume - around a quarter the level of August last year - suggesting that ne'er-do-wells are shifting their attention to the relatively new world of social networking and microblogging.