A few weeks ago I got an email from a colleague stating that he believed his Twitter account had been hacked into because of a suspicious direct message that was sent to all of his followers, me included. Since then I’ve gotten other random direct messages. But in the last two days both the IPWatchdog and IPWatchdog_too Twitter accounts were hacked into as well. I assure you that we are not sending direct messages from our Twitter accounts. Nevertheless, I decided to search “Twitter accounts hacked” and there is a Plethora of Twitter Users who have tweeted their warnings to others.
What strikes me as odd about this whole situation is that it is not your usual phishing scam where typically users are tricked into revealing personal or confidential information which the scammer can use illicitly. In fact, according to CNet writer Elinor Mills, Twitter representatives are stating that this situation is not actually a phishing scam because the site, to which the spam links to is not asking for usernames and passwords, does not look like Twitter pages nor do they claim to be twitter pages.
What also makes this a little different is that phishing and account hijacking attempt on Twitter is primarily affecting Direct Messages sent between users rather than being posted on their twitter account for all to see. Are you following President Obama, Mary J Blige, and Kenny Chesney, Miley Cyrus or your state senator? Don’t be surprised if your favorite celebrity sends you a “direct messages,” which says: “hi. this works. i feel better and look great. http://bdgdfij.info.” Look familiar? If you’re on Twitter, you’ve probably already gotten one like this. Everyone can fall prey to this phishing scam. In fact two prominent Republican officials and all of their followers have been recently affected.
This phishing scam is different than may others we’ve seen. Some of the direct messages ask the sender to click on a particular link to “see if your score is higher than mine,” for example. And given that so often our friends and family forward onto us the exact same type of email through our regular email chains, we are more likely to fall prey to such a scam. The scam site you are sent to is not what they are claiming to be but could be one that asks the user for his or her Twitter password and log-in information.
But why Twitter? There’s nothing personal stored on that account. However, according to MSNBC, “It’s not so much that a crook wants to read why you’ve written on Twitter, or start posting your tweets. Rather, criminals are looking to see if your account information is the same for other accounts, including those for banks, where the reward for such phishing is more lucrative.”
Essentially what it sounds like is that by getting you to sign into your twitter account, the scammers are able to look for patterns between the accounts you sign into using a form of spyware. If you use the same or similar passwords on websites of different kinds, chances are you are using the same or similar login for all of your accounts.
Scammers know that Twitter was one of the fastest growing social networking sites going far beyond the use of just family and friends staying in touch. Most businesses; large and small, politicians, artists, news media outlets, professional sporting teams and the like now have their own twitter accounts. In fact, Nielsen Online said that Twitter’s “footprint has expanded impressively in the first half of 2009, reaching 10.7 percent of all active Internet users in June.” However, Twitter has seemingly flat-lined in Unique Visitors over the last four months and is dropping in the number of hits it gets each month. I can’t help but wonder whether the stagnant growth is due to lax security and Twitter inaction has become their own worst enemy.
Perhaps these phishing scams can account for much of this plateau affect. In fact some think that Twitter is so simple to hack into that you can find instructions on how to do it online. In an article on HomeBiss.blogspot.com you can find instructions on “How to Hack Twitter” who they describe as probably being the most unsecure micro-blogging platform in the World Wide Web today.
So what do you do if your account has been hacked into? There are several basic things you can do, the most obvious of which is to not share your user name and password, and that goes beyond “Hey Bob, my user name and password is….” Writing them down, emailing them, instant messaging them, text messaging them and saving them in a regular word document on your computer are all ways that you can be vulnerable.
The second thing you can do is to go into your Internet Browser and clear out your Cache, defined as a computer memory with very short access time used for storage of frequently or recently used instructions or data. Delete your temporary files, browsing history, cookies, saved passwords and web form information. I know it’s a pain to have to retype our user name and passwords, but the fact that this information is stored on our computers, makes it so much easier for the criminals to look for patterns and steal our identities.
In addition, you can use different user names and passwords for each log in and change them often. If you’re like me you can’t remember all of your user names and passwords as it, let along if you have to change them. But there are many Password managing programs that can be used to store all of your passwords. One such program, used by several of my colleagues is Keepass which is encrypted with the AES or Twofish algorithm, endorsed by CNet and it rated 4 out of 5 stars. Of course, keep in mind however, that before ever using software that you find on the World Wide Web you should do your home work first. Downloads.com (by CNet) is an excellent place to try out software because they test all downloads to make sure they are free of spyware, viruses and other malware.
If you go to the twitter help section and look for “account hacked”, they give you suggestions about what you can do if your account has been compromised. Hopefully they will get this issue fixed because the site has great potential!
Join the Discussion
3 comments so far.
Toby GalinoNovember 23, 2009 12:21 pm
More sites should implement two factor authentication to sign in then these types of phishing hacks would be useless. Working for VeriSign I hear some horrific stories and VIP tokens are particularly relevant in light of the recent Twitter, Hotmail, & etc credential leaks. I am using 2F in a variety of places already, like eBay and PayPal, My accounts have been attacked on both so those sites were my first stop to register.
Roland JensenNovember 19, 2009 10:49 am
Nice one! One of the factors that social media accounts are easily hacked because passwords are usually the same for all their other accounts or email. Some are so simple as their birthday, wedding anniversary, or words that have significance or have direct representation to them. It would be better if passwords would be a mix of letters and numbers and different for each account to avoid phishers and hackers.
Mike D.November 13, 2009 11:51 am
For a related social-networking issue/threat, consider reading the following piece from TechCrunch. You think FarmVille is harmless? So did I.