The messages are sent from compromised accounts via Twitter's direct message feature and read "you look like you lost weight in this video.. [LINK]"
The link takes users to a fake Twitter login page hosted on a third-party server. Inputting the login credentials on this page will expose them to the attackers and they will be abused to propagate the scam.
Users who receive the aforementioned messages from the people they follow should immediately notify them that their accounts have been hijacked and advise them to change their password.
Because a lot of people practice password reuse this kind of compromise can have far-reaching consequences and can also give attackers access to the victims more sensitive accounts like email or PayPal.
"If you found your Twitter account was one of those sending out the phishing messages you shouldn't just change your password and consider if you are using the same password elsewhere" advises Graham Cluley a senior technology consultant at antivirus vendor Sophos.
If you did use the same password for multiple accounts you should change this bad habit and start creating unique access codes for each service you use. There are free password management tools that integrate well with browsers and can help make this easier.
In addition you should train yourself to always verify the URL in the address bar before logging into any website. It's also good to keep in mind that short URLs can lead to malicious pages. Because of this if there are extensions available for your browser that reveal the destination of shortened URLs in advance it would be a good idea to install one.