The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Sunday, January 04, 2009

Phishing attacks reach Twitter


Social networking site Twitter is experiencing a bad round of phishing, prompting admins there to publish a warning on line.

How it works:

In short, spammers get your Twitter ID in any one of a number of ways, and send you a direct message — which twitter forwards to you via email — or perhaps simply send you an email constructed to look like it came from Twitter.

The email is a typical phishing email which invites you to log onto Twitter and directs you to a Twitter look-alike web site (e.g. twitter.access-login.com) which then steals your Twitter login and password.

Your Twitter account is then used to send more phishing direct messages to all of your contacts, and the process continues.

One more complication: Normally, direct messages can only be sent between accounts which have mutually followed each other. In other words, before the phisher can send you a direct message, they somehow have to get you to follow them back on Twitter.

One way this is accomplished is by simply following you and hoping you'll blindly follow them back. Yet another way is by exploiting various "auto-follow" systems. The way auto-follow works is that you can contact the Twitter support team and ask that auto-follow be enabled for your account. Then, anytime someone follows you, you wind up following them back — and becoming a target for phishing messages — without having taken any positive steps to do so. There are also third-party services such as Tweet Later which provide auto-following as a sideline tool.

It's not yet known what the goal of the phishers is. It could all just be a juvenile prank, or perhaps the phishers are waiting until they've compromised enough accounts before they start swamping Twitter with advertisements.

What you can do: First and foremost, never enter your login information into a web page which you reached by clicking a link in an email. Or if you must, double and triple-check the url in the browser to make sure that it's really the web site you think it is.

Never be fooled into thinking that your favorite web site has inexplicably set up a different domain name to handle logins (it's actually harder to do it that way, not easier, because of the way cookies work.)

In fact, it's best to type in the domain name yourself, or use a bookmark you've previously created, rather than trust any url you saw in an email.

Update: Computerworld has an article as well: Twitter phishing scams: Not so tweet. It discusses more possible motivations for the phishers and has more details on how the phish works.

Also, one commenter made a point which is very significant: Even if your twitter login isn't very valuable on twitter, many people use the same credentials on a variety of sites. You might want to consider a policy of using different passwords on different sites.