Posts Tagged ‘twitter’

Twitter has become a great way for friends and family to keep in touch throughout the day.  It’s become so popular that even celebrities provide daily updates so that they can keep track of each other and connect with their fans.

As is the case with many social networking sites, predators have been trying to capitalize on the weaknesses associated with using Twitter.  Whether someone has created an account for the sole purpose of befriending potential identity theft victims or the profile just pumps out spam, not everything on the popular site is as it seems (read about how scammers are abusing Twitter).

Twitter has decided to take action by adding a “report as spam” feature which can be found under the “Actions” section of a profile’s sidebar.

Once a user has been reported, Twitter’s Trust and Safety team investigates the situation and makes decisions regarding what action, if any, should be taken.  Users who click the “report as spam” button will automatically have the profile blocked from following or replying to them.

I think this is a step in the right direction and, hopefully, will help deter spammers and scammers from using Twitter as a way of hurting others.  It’s important since cybercrime on social networking sites is on the rise.

Earlier this month we talked bout “scareware“. One such attack recently was perpetrated through the popular social networking site Twitter. In fact, this week I have witnessed several different phishing schemes on Twitter.

1. Scareware Scam: Scammers were found to be using machine-generated Twitter accounts to post messages about popular topics. Each of these messages would include a link, often disguised using a link-shortening service (making it difficult to know where the link would lead). The link would lead to servers hosting fake Windows antivirus software.

2. DMs that Steal Logins: This second scam would use hacked accounts to send direct messages (DMs) to users. Clicking the link in the scam would take you to a fake login page in a ploy to steal your login information. This scam would then perpetrate to all the friends of the compromised account. Receiving direct messages with links from “friends” increases the likelihood these links will be clicked.

3. Baiting Users: I have witnessed attempts by several auto-generated accounts to bait particular users. To do so, they will accuse the user of something, such as a political stance, in repeated @ messages. This will be retweeted or continued by a whole series of other accounts. In all cases, the accounts will have other “real” looking tweets with links in them, trying to bait you to check the account and click the links.

In reference to the second scam, I know of individuals who had their accounts breached without handing over their passwords, so it’s imperative that anyone who has received direct messages with links not click those links. If you do, change your password right away and contact Twitter support to report the issue.

I myself have been baited by many of these schemes, but I never click the links. Here, for example, is one a “friend” sent me yesterday:

If you are unsure about a particular link, don’t click it. If it is a shortened URL, you can see what it leads to with a service such as LongURL. If you use Firefox and want added protection from cross-site scripting attacks, you can install the NoScript plugin.

Via mashable, computer world

Following the publicized hacks of ‘big’ accounts (Britney Spears, Barack Obama, Fox News) on the social networking site Twitter, Sophos is calling on Twitter to enforce stronger password security (though, really, every company should enforce strong password standards of its users).

An 18-year-old with a history of celebrity pranks has admitted to hacking several high-profile Twitter accounts. The hacker, GMZ, says he was able to use an automated password-guesser to do a “brute force” attack to guess the password of a Twitter user. Since Twitter allowed an unlimited number of login attempts (a poor security tactic), the hack was easy. The password of one account was as simple as “happiness”, a very insecure password.

Although he didn’t realize it at first, he’d hacked into a Twitter staffer, and that opened up the ability to reset the password on any Twitter account. For fun, he asked other hackers if they wanted access to any Twitter account and posted a video he made of his hack:

DMZ then filled requests to access several high profile accounts, including Barack Obama’s account and Britney Spears’ account. Those accounts were then hijacked and they sent fake messages, as demonstrated here. DMZ was in Twitter for a couple of hours before his access was blocked by Twitter.

Twitter says they are doing a full security review and are already at work to strengthen the sign-in process. This security issue came immediately on the heels of a Twitter phishing scam.

This piece of news has prompted Bruce Schneier to write a great article reminding us that technology is only part of the solution to security issues. The article talks mostly about the threats of impersonation, not web security, but it’s a great read.

BTW, if you are a Twitter user, you can follow Absolute Software news at: twitter.com/absolutecorp.