Another round of spam phishing hits Twitter

Twitter has become one of the prime targets for phishing and spam attacks, due to both it’s huge growth in user numbers, but also the each with which messages can spread (partly due to the inherent weakness in using short urls).

The latest example is the BZPharma ‘LOL this is funny’ attack, as detailed by security firm Sophos. Messages include ‘Lol. this is me??’, ‘lol , this is funny’ and ‘Lol. this you??’, and include a link which looks like ‘http://example.com/?rid=http://twitter.verify.bzpharma.net/login’ –

with the example.com element varying between a number of addresses.

There’s a handy Youtube video with details of the problem. Links are appearing in both private Direct Messages, and in public feeds – plus some third party services allow DMs to be made public, sharing the phishing attack more widely.

Click on the dodgy link and you’ll go to a fake Twitter login page, which replicates the Fail Whale when you attempt to login, and then redirects you back to the real Twitter page to make you believe your account hasn’t been hit. The same technique is also being used to phish Bebo accounts.

And after the first wave of attacks compromised accounts, there’s now a wave of spam selling herbal viagra, with messages including “Get bigger and have sex longer. go here”

So besides double-checking you’re on the real Twitter site before logging in, keep an eye on your sent messages for any clue your account has been compromised, and also watch out for messages being sent by even trusted friends.

You can also take a look at the full Sophos update on the attack.

New Twitter spam attack

Just picked up on a warning via Mashable that 1000s of Twitter profiles appear to have been compromised in the latest attack of spam messages on the microblogging platform.

The attacks seem to be producing waves of spam messages, with hundreds of tweets, and then stopping for a while before starting again. The cause hasn’t been identified and the Twitter team have been informed.

Luckily in this case, the url in question hasn’t been masked with a shortening service, so don’t go to high-profits.org unless you fancy risking your account.

If your account has been compromised, change your password immediately etc…

And finally, think about how you might be affected – is the risk of spam and phishing scams a natural balance to adding 1000s of follows and followers that you don’t know, in order to boost your popularity?

Do you RT without checking links first? Click on links from people you haven’t established any reputation with?

I’m not saying close contacts can’t make a mistake and have their account hacked or phished – it’s happened to several friends with online email accounts – but commons sense and building trusted relationships will definitely lessen the odds of you being affected…

Twitter being used to distribute Malware and DoS attacks

Sadly it’s no surprise that the ‘Trending Topics’ ranking on Twitter is being used by both spammers and distributors of Malware. Or for instigating DoS attacks:

Malware:

Malware is the catch-all term for software referred to in the mainstream press as ‘virusus’ – technically a virus is a type of Malware.

Luckily the methods being used aren’t particularly sophisticated yet – the scammers are creating fake Twitter accounts to post with #hashtags for trending topics and links to sites which contain the malicious software or scams.

Mashable reports that the most common links at the moment are “Twitterbest (dot) mp” and “Zasaden (dot) mp”. An added sign is that in this case, the url also tends to contain a pornographic term.

The alert from Mashable came via Panda Security who explain that the fake accounts link to a page that prompts you to ‘upgrade your Flash player’ or similar. If you agree to download software, it installs itself, and you’ll get error messages warning you of a virus and that you need to pay $89 for fake software called “Fast Anti-Virus 2009”.

The best tip is to avoid links that look suspicious, or are posted by people you don’t know. And if you do think you need to download a software update, go to the site of the company concerned, rather than installing via a random 3rd party site.

DoS:

The New York Times is reporting that Twitter is being used to instigate Denial of Service attacks against key government officials in Iran;

‘But a still developing and less benign use of Twitter in Iran has been its application in denial-of-service attacks against key government officials, including those affiliated with President Mahmoud Ahmedinejad.

… Tweets have begun circulating that allow users to target a Web site that will eventually be overcome by simply clicking on the embedded URL in the message. As soon as a user hits the page, as many as 24 frames open up simultaneously and refresh continuously, causing a DoS attack against the 24 separate Web sites.’

Twitter phishing attack – the implications

Twitter has been hit by the first major effort to ‘phish‘ account details and spam users with links to a fake login page by Direct Messages from comprimised accounts.

The Twitter team has responded with a warning on the main web access page, and a warning on the Twitter blog. You can see the uproar it’s causing on Twitter via Twitter Search.

Currently the DMs are enticing people with:

  • Here’s a funny blog about you
  • Your picture is on this blog
  • You’ve won a free iphone

Luckily the phishers are at least sticking to the grand tradition of email spamming by either trying to entice you with a blatantly ‘too good to be true’ offer, or something personal with the link to a fake Twitter log-in page displayed in full, so hopefully the word has spread to most people.

However, this is likely to be just the start. As Pete Cashmore pointed out at Mashable, this is a sign Twitter has reached a big enough size to be a viable target for scams – a positive sign for Twitter’s growth perhaps, but also a sign that the scammers and spammers are coming, with pretty big implications for Twitter users.

Shortened urls:

For starters, we were all lucky in some ways that the bloggers obviously aren’t familiar with Twitter culture, and were displaying the full url of the fake website, meaning that even if the DM came from someone we absolutely trusted, we had a warning before clicking.

But given that the character limit of Twitter means that shortened urls are the norm, it will make it almost impossible to detect whether a link is likely to be fake before at least visiting it – meaning an urgent need for preview functionality of shortened urls at the bare minimum.

Warning systems:

A lot of Twitter users picked up on the scam emails via friends, and stayed up to date with information via the #phishing hash tag etc – Twitter responded promptly with a warning on the website and blog. But what about the many, many people using a client to access Twitter and their Direct Messages? And those using mobiles to access the service?

Will everyone get a warning via each client and application? Unlikely at the moment, unless there is a type of ‘emergency signal’ which could be broadcast across all clients and apps.

Verified App Store:

Which brings me to the next possible implication – a few people have suggested that the fake log in page is in fact working as a Twitter application to utilise the stolen accounts and passwords.

It’s long been a matter of contention for users and app developers that any 3rd party application which requires a certain level of functionality has to ask for usernames and passwords – but now the 3rd party developers could be hit by a huge loss of trust from users.

So could this be an opportunity for a verified and approved Twitter application resource? Possibly monetised by charging a fee for consumers (unlikely), or for developers to have their application tested and approved (more likely)?

This could have implications for the speed and amount of Twitter applications and clients being produced, and also move such development away from bedroom coders depending on the fees for such services.

It certainly means that there could be a move for more users to utilise more than one Twitter account to allow them to test applications and clients etc without comprimising their main account.

So what other implications do you think the arrival of large scale phishing attacks could have on Twitter – and what suggestions do you have for other Tweeple – and Twitter itself, to try to minimise the damage of future attacks?