Twitter users are being targeted by a phishing campaign designed to steal passwords and use hijacked accounts to spread money-making spam campaigns.
The ongoing attacks started two days ago when phishing links began appearing in seemingly humorous postings, said security firm Sophos.
Postings that begin with phrases such as "lol , this is funny." and "Lol. this you??" contain links to a fake Twitter login page hosted on a website based in China called BZPharma.net.
"This phishing attack has been causing headaches for Twitter users all weekend, resulting in thousands of users being put at risk of having their account broken into," said Graham Cluley, senior technology consultant at Sophos.
"The cybercriminals behind the attack are creating a zombie network, or botnet, of hacked accounts that they can then abuse to spread spam, distribute malware and steal identities," he said.
Any Twitter users who have clicked on the malicious links or find direct messages in their Sent box that did not send should change their Twitter password immediately, said Cluley.
Sophos researchers found that most of malicious links have been spread through direct messages between individual users on Twitter, but that dangerous links are also being posted in public feeds, making them accessible by non-Twitter users.
Third-party services like GroupTweet extend the standard Twitter direct message functionality and allow private messages to be sent to multiple users and optionally made public, said Cluley.
Sophos has linked the phishing attacks to spam selling herbal Viagra being sent from the compromised accounts.
"Unless the hacked Twitter users change their passwords, the intruders can continue to spread spam and other attacks from their hijacked accounts," said Cluley.
Graham Cluley demonstrates how Twitter phishing attacks work