Monday, January 5, 2009

Phishing scam spreading on Twitter

I don't Tweet. Not sure about you, but the answer to "What Are You Doing?" is usually boring, private, or working. I will probably cave in once Twitter hits the tipping point, but I figure we are still a good year away from that.

But Twitter has apparently gotten big enough to attract the attention of phishers. Over the weekend it was hit by a phishing scam that redirected people to a certain twitter.access-logins.com page. At that point it tries to harvest your Twitter login credentials.

I couldn't find any information on how widespread this attack is (previous social networking attacks like the Koobface virus that hit Facebook have had only limited impact). My guess is that a lot of people have fallen for this - phishing is kind of new on Twitter, and the URL could be legitimate. Active Twitter users are receiving so many messages that they cannot possibly check if each one is legit.

What is being done with the login credentials that have been harvested? I have absolutely no idea, but in the absence of hard facts let me venture a guess. Twitter itself could be used for spamming, click through fraud, page rank manipulation and the like. This is annoying for the victim but not much more.

Although most people use the same password for just about everything, I don't think there is a practical way for the Twitter attackers to use these credentials on other sites. This would require a more sophisticated spear phishing approach (a phishing attack that targets a particular person) that this does not appear to be. On the other hand, it would not be difficult to try all the harvested login credentials on say Citibank. But given the early detection of this phishing scam and the relative tech savviness of Twitter users, the impact of any such attack would be limited.

There's not a lot that can be done about these kind of attacks. Even careful users who are aware of phishing scams can easily fall victim.

A few quick lessons for security managers from this:
  • Emphasize the separation of work and personal email. This will help limit the damage if one of your employee's personal email accounts is compromised.
  • Enforce password complexity and expiry. This reduces the likelihood that employees can use the same password universally.
  • Make sure that phishing is part of your information security training. Remind employees to be careful where they enter their credentials.

1 comment:

  1. I am disappointed on how slow twitter has reacted to this. They should have used a powerful information drive.

    ReplyDelete