The twitter "don't click" messages are spreading like wildfire. It's a relatively benign form of clickjacking (analysis here) that tricks you into click a button when actually you're click on a hidden button on the twitter site that posts a tweet.

I've talked about clickjacking in Wellington, Auckland, Christchurch and Nelson, and while I don't know of a fool-proof way to protect yourself against click-jacking, you should do what twitter have done (and what I suggested at those talks) and include some frame-busting javascript at the top of every page in your site. Details are here: Framebusting in Javascript

Frame-busting works by unwrapping your site from being hosted inside an iframe. It won't stop all click-jacking attacks, and it won't protect all users, but like many security mitigations it's about layering several 90% solutions on top of each other to protect your users and your websites.

Kirk