It would appear that Tumblr has once again been hit by a phishing attack that has lasted well over a month. A search on Tumblr for Staff Blog turns up quite a few disgruntled posts from users complaining that it would appear that Tumblr’s own staff blog is posting special offers to their sites, on their behalf.
This isn’t the first time Tumblr has been the target of a phishing attack. Last June, users trying to access posts on the blogging platform were met with a message asking them to ‘validate their credentials’ by logging in to their accounts again. The message read “This page contains adult content. Please revalidate your credentials.”
F**k it, we'll do it live!
Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.
It would seem that Tumblr is once again facing yet another round of attacks, with users being met with the same message.
“…I was careless and stuck my password in when prompted to confirm my ID on a Tumblr saying it featured adult content, even though if I remember it was just a standard Tumblr, not a porn one …no seriously!
The post that appeared on his blog can be seen in the screenshot below:
While in Nick’s case, the spam post featured a Walmart Gift card, other posts have included Apple giveaways, promising a free iPhone, a sure sign that the post is indeed spam. Other fake offers have included Southwest Airline tickets and Starbucks gift cards.
Looking at how the post appears on the Tumblr dashboard, it looks as thought its coming from firstname.lastname@example.org, and encourages other users to reblog the post.
If users do go ahead and try to access the “giveaway”, the phishing scam is revealed, where they are told they will get the freebie in return for giving away their personal information.
One of the current scams takes users to Tumblrlinks.com, a page featuring a work-at-home job opportunity, which does an extremely poor job of disguising its phishing attempt.
The phishing site is also relatively new, having been registered just this past February 17th.
It isn’t clear how many blogs may have been compromised in this latest attack, but we have contacted Tumblr for a comment on the story and will update once we have received it.
(Thanks for the tip Nick!)