Twitter Phishing Attack - How To Protect Your Account

January 5th, 2009 — Twitter Guides, Twitter In The Media, Twitter Tips, Twitter Tools

By now you should have heard about the latest phishing attack to hit Twitter.

On the 3rd Jan I received 2 suspicious direct messages through Twitter. On the 4th Jan I received at least 8 bogus direct messages and a couple of them were from accounts that I know are owned by genuine users of Twitter.

So this post is part of our contibution to stamping out this attack before the viral nature of this scam spreads through Twitter like a disease.

The Problem

You receive a direct message from someone that you follow on Twitter. It says something rather innocent and intriguing such as;

“Check out this blog type website. you need to see it..” and

“hey look at this funny blog”

There may be other variants, but you get the idea. I have removed the links, but anything on the access-logins.com domain should be avoided.

When you click the link you arrive at what looks like the main Twitter login page. Only it’s not genuine, it’s a cloned site. And if you use this cloned site to enter your login details, your username and password will be recorded and used to access your account.

This could be devastating for both the Twitter network and legitimate users, especially if you use Twitter for business or professional purposes. It can take months or even years to build a good reputation online. If people have access to your Twitter account and start posting unauthorized messages, your reputation can be severely damaged within minutes.

To make sure that you don’t get caught by this trap or others, the best policy is to make sure that you don’t login to Twitter when you arrive at the site through a link. Open a new browser and type in the address http://twitter.com

The Reason

Why is this happening? Who knows! It could be people who are bored, jealous of Twitter’s success or even training for a career in cyber crime. But the most likely explanation is money. Phishers do what they do to make money. So how can they possibly hope to make money from a series of stolen Twitter accounts?

Off the top of my head, I can think of four potential methods;

a. Twitter Spam

They plan to build up as many compromised accounts as possible, then flood them with spam (either promoting affiliate products/services or selling the spam potential to a third party) to make a quick buck.

In this case, established Twitter accounts are far more valuable than recently created accounts as they are far less likely to trigger the anti-spam techniques that Twitter are likely to be using.

b. Twitter Account Ransom

They plan to demand ranson from legitimate account holders who have built up a fair bit of social value and reputation using their Twitter account. Let’s face it, some legitimate account holders could find it difficult and/or time consuming to prove that they are the real owner of their Twitter account. Could you prove that you own your Twitter account?

c. Selling Twitter Accounts

They plan to sell some of the hijacked accounts, especially the well established accounts with generic names. So if you’re offered a Twitter account with 3000 followers for $50, don’t have anything to do with it. Better still, take the details and pass them on to the team at Twitter.

d. The Long Game

They plan to use the reputation and integrity of Twitter to launch an even bigger assault on the social networking community. So take extra care of the way that you use your other social accounts and keep an eye out for news of the latest scams.

The Danger

The great danger is the speed at which this attack could spread. Every account that is hacked provides the phishers with more power to distribute their messages containing links to the cloned Twitter site.

Unfortunately, that’s the negative side of viral marketing.

The danger gets even greater if some people have used the same name and password when they signed up for other Twitter related services.

After hacking someone’s Twitter account, the phishers could have speculatively tried a whole range of third party services (such as the services which provide automated or scheduled direct messages) and used them to perpetuate the attack.

So your main Twitter account might look okay, but your automated direct messages will continue going out to your new followers, spreading the dangerous links, without you knowing anything about it.

The Solution

1. Check Your Twitter Account

If you can still login, change your password. It’s good practice to change your Twitter password on a regular basis

If you can’t access your Twitter account, try resetting your password. This will send an email to the address associated with your account, allowing you to set a new password. If you don’t receive this email, check your spam or junk folder. And finally, if you still haven’t received this email, contact the Twitter support team, providing them with as much information about your account as possible.

2. Use Different Passwords For All Your Twitter Related Accounts

If you use any Twitter related third party service that allows you to set your own username and password, make sure that you don’t use the same details as for your main Twitter account.

If you have been using the same login details for other accounts, make sure you change the passwords to something different as soon as possible. And if the service in question was for sending scheduled or automated Twitter messages, make sure that nothing has been altered in your account.

3. Keep your Twitter Password Private

This might sound obvious, but due to the number of third party Twitter services that have developed, there’s a great temptation to use your Twitter username and password “just to see what the service does”.

Blogger Chris Pirillo, who was one of the first people to write about this Twitter Phishing incident has suggested that the only way to avoid being a victim is to make sure that you don’t login to your Twitter account using any other site apart from Twitter.com

This is good advice which will further amplify calls for an official verification system (so that you know you’re giving your login details to the right people) to be developed for services using the Twitter API.

4. Make Regular Backups Of Your Twitter Account

If you use Twitter regularly and have invested a lot of time building up your account, it’s important to backup your data.

But following the advice from number 3, don’t use any of the 3rd party services (at least until a system of account verification has been developed).

There is a way that you can use the Twitter API to backup your lists (both followers and the people that you follow) that I’ll cover in a future post.

These backups will help to protect your information if Twitter has a major loss of data. The big fail whale has happened before as far as I’m aware.

A record of your lists will also help you to rebuild a new Twitter account in the unlikely event that your account is hacked and you can’t convince Twitter that you are the original and rightful owner.

5. Let Your Followers Know About This Problem

Education can help to put a stop to this. And Twitter is the perfect platform to spread the word about this threat. So once you’ve made sure that your account is secure, send a short tweet out to your followers.

Safe Tweeting!

3 Comments


Video & Audio Comments are proudly powered by Riffly