Scammers are the scum of the earth especially when they exploit tragic events such as the Orlando nightclub shooting. This is not the first time similar things have happened so you should be cautious.

This time the scammers targeted Twitter users. On 18th of June several verified accounts started tweeting about “BREAKING NEWS! Father of Orlando shooter to be charged” or “OMG can you believe this crap about the Orlando shooting?”

twitter-tweets-2phish-tweets-1The McAfee short link is malicious. It points to a sneaky Twitter phishing site:

twitter-phish-data-URIIf you are interested in the network flow, check out the URL query report.

Note that there is no actual link present, just a data URI. Phishing by data URIs is not a new invention, but I haven’t seen it used in real attacks before. Suggested reading: Phishing by data URI by Henning Klevjer (PDF).

The main part of the encoded URI reveals the malicious website attempting to collect credentials:

phish-formNote! The phishing tweets, malicious links and related websites are all still active (19-Jun-2016)

Luckily this attack wasn’t very successful like one of the earlier ones with more than 20.000 potential victims. I found the file containing the stolen credentials. The file contains less than 50 possible user names and passwords.


if any link takes you to a Twitter login site, don’t enter your username or password. Just close the browser or browser window.