Monday 14 May 2012

Tweet Attacks | Don't Be Phished By Tweet: 'Hey Some Person Is Saying Horrible Things About You'

Does reputation matter to you? Are you concerned what people say about you when you're not around? Perhaps you want to know what crap anonymous commenters post about you across the InterWebs? If the answer is "Yes" to any of these, you might be vulnerable to this tweet: "Hey some person is saying horrible things about you". Resist the temptation.

I got this one Monday and again yesterday. I started to ignore the tweet, but it came as direct message. So I clicked the shortened link, which brought me to the Twitter  home page with message log-in failed. Immediately, I panicked, intuiting this likely was a phishing scam. Sure enough, Chrome revealed the fake URL and I backed off. But some other people haven't been so lucky, as Gartner analyst Mark McDonald confesses today . In reading his post, I realized it would be public service to share a bit about his experience and to warn others.

Most successful phishing attacks are socially engineered. Like an old-time grifter, the phisher tricks you to willingly act on his or her behalf. You give your trust on the belief there will be a benefit or some other gain. Here, the lure is compelling. Who really wouldn't want to know that "some person is saying horrible things about you"? Phishing exploits like this one abuse your trust in someone else. The two direct messages I received came from a George Washington University student; we're mutual followers, so the tweet seemed believable enough.

Something else: URL shortening masks the link's true destination. Matters could have been worse, such as drive-by Trojan planted simply by going to the fake and poisoned website. URL shortening is convenient for keeping to Twitter's 140-character limit, but it's a security liability long overdue for massive exploit. This new attack isn't the first, but surely someone someday will unleash a far-reaching Twitter  phishing exploit using URL shortening to mask the destination.

What happened to McDonald could to you, if it hasn't already. Once reaching the fake site and being logged out, he braved ahead:

That should have sent off warning lights as I was already logged into Twitter  and the log-in screen I was taken to was a different color than traditional Twitter blue. In the desire to find out what others were saying, I barreled ahead and proved that I was really a bit of a twit, in the UK term of less than normally intelligent person. The hook was set, the virus spread and I was there dangling at the end of the line.

McDonald essentially gave up his Twitter log-in credentials, which were exploited with some cunning and quite differently than email viruses that spread by spamming everyone in the address book:

The virus sent a few messages to a few people out of my Twitter account. The virus sent a similar direct Twitter message to about a dozen people from my follower list. The people selected were randomly distributed and it appeared to be just a few people. This spread the virus through a network of loose and more casual connections rather than processing a list of people...The viral messages did not start right away...Delay not only allowed incubation, but it inoculated itself against instant recognition.

Two hours passed before he realized what happened: "It was only when I saw a tweet saying that I lost 20 lbs by using acai berries that I knew something was up. I hate acai berries".

I received the second tweet from the same person about 12 hours ago, which means that as late as last night he didn't know about the account hack. I'll direct message a link to this story soon as it posts.

How can you easily tell if your account is compromised? Check your direct messages.

Photo Credit: Ivelin Radkov / Shutterstock

No comments:

Post a Comment