The F-Secure blog reports on a clever little phishing attack which uses Twitter’s own Direct Message service and URL shortening services.
Unsuspecting users will click the link provided in the message which comes from somebody they know as Direct Messages can only come from people you follow on Twitter. However the message is likely coming from a hijacked account and points to a URL which hosts a phishing page that looks like Twitter and is asking you to sign in.
Once they have your credentials they then send messages to all your contacts and their web of hijacked accounts grows exponentially.
The good news is that Twitter has reacted quickly to this attack and are closing down the avenues of attack.