|
There has been more than one story in the news recently about Twitter accounts being hijacked. The most recent examples of note include the accounts of Britney Spears and famed blogger/entrepreneur Guy Kawasaki. These issues have highlighted some potential dangers of using the service, or really social networks in general. Have you encountered security issues with Twitter or other social networks? Share with WebProNews readers.
Amit Klein, CTO of Trusteer, a security firm, who counts the nation’s largest direct bank, ING Direct, among its customers, feels that Twitter account hijacking is an issue that more people need to be aware of. WebProNews asked Klein a few questions about it, and the following is the resulting Q&A session.
WebProNews: Please talk a little bit about what is happening when Twitter (and other social network) accounts are hijacked.
Amit Klein: Typically, criminals hijack Twitter accounts in order to spread malware. That is, they abuse the hijacked accounts to post messages to all the "followers", with a link to a site that serves malware. In the Guy Kawasaki incident, for example (not a classic account hijacking, but still a malware spreading campaign), of the 139,000 followers, it is estimated that hundreds got infected. Earlier this year, accounts of 33 celebrities (among them Barack Obama – 1.6 million followers, and Britney Spears – 2.1 million followers) were hijacked.
WPN: How big of a problem is hijacking of Twitter (or other social network) accounts?
AK: This is quite bad, since a twitter account enables one to send malware links and plain spam to all followers. Of course – the more followers, the more widespread the attack is.
WPN: How common is it?
AK: Over the last 10 days, we’ve seen two high profile incidents, in which an account was abused to serve spam and malware. One is the Guy Kawasaki incident, and another is Britney Spears.
WPN: Has it been limited to "high profile" accounts, or is it becoming common for regular users as well?
AK: Obviously the media covers only the high profile attacks (celebrities, politicians, etc.). We believe that attacks against more average accounts are also taking place – quite possibly via mass production utilities.
WPN: What are the dangers that come with it?
AK: The most obvious danger is that a hijacked account can be used to serve malware and spam automatically to all a user’s followers. An account can be hijacked a long time before it is abused. Attackers usually wait for the right opportunity to hit as many users as possible.
While twitter is currently used to spread malware, it’s a perfect platform to commit fraud as well. Followers trust the messages that come from the person they follow, while in reality the message could be spam trying to convince followers to fall to a scam. A very simple example would be a request to donate a small amount of money to charity (for example to support the situation in Iran). The link would go to a fraudulent website that records credit card numbers. A high profile account that sends such a message could result in hundreds of thousands of compromised credit cards.
Another example is false rumors about companies and stock, which could result in pump and dump attacks.
WPN: What can users do to protect their accounts?
AK: To secure their Twitter presence, users needs to take several actions:
1. Protect their twitter credentials – users need to be vigilant and keep on the look out for Twitter phishing attacks, and pharming (DNS poisoning) attacks. Users can install client side security tools that ensure they are only providing their Twitter credentials to the genuine twitter website. In doing so, they will protect their credentials against keyloggers or malicious browser plug-ins ("man in the browser" attacks).
2. Control and protect their twitter information. As tempting and convenient as it may be, using 3rd party applications and services that enhance Twitter may increase the exposure of users to abuse. Every website which is allowed to automatically post to a user’s Twitter account adds attack surface that criminals may exploit.
WPN: Please feel free to discuss anything else related to the subject that you feel people should know.
AK: Somewhat akin to phishing, is a practice called "twitter-squatting", wherein names of people/organizations are registered by fraudsters (or sometimes pranksters). It makes a lot of sense to monitor for such registrations, or better yet, to register brand names and individual names as early as possible to thwart such attacks.
Another threat associated with Twitter is abusing "Trending Topics" to serve malware. The attack involves sending many tweets (with malicious links) with some special keyword in them, so that this keyword will show up as a trend in the "Trending Topics" list at twitter.com. A user that views a sample tweet for this keyword and clicks on the malicious link will be served malware.
Both examples show how well established web attacks carry over into the twittersphere. Cyber squatting is a well-known practice on the web, which is now occurring in Twitter. Likewise, search engine poisoning is a common practice on the web, and now in Twitter also.
Security-wise, Twitter should be treated both as an individual website with its own potential security issues, and as a microcosm into which many existing web attacks can be mapped. This makes securing Twitter harder than protecting typical websites.
Wrapping up
WebProNews would like to thank Amit for sharing the above insight into Twitter security issues. Has your Twitter account ever been hijacked? Have you been a victim of Twitter abuse of any kind? Tell us about it.
Twitter security
Everything is already open!
Hackers and spammers have found a new way to spread malwares on a big scale via Twitter. Now Twitter needs to work on its security and secure its users’ profiles otherwise it may lose a lot of loyal customers which is definitely not good for any company.
I’ve been aware of these security threats for some time. Twitter is only one thread inside a big ball of wool where security and privacy are intertwined.
not only that – but now Twitter is not monitoring porn followers either and explicit pictures being sent to me at home and work – it’s not cool – they need to get their stuff together or the service will go down hill as fast as it climbed up
Yes, my Twitter account was hijacked months ago and lucky me a nice twitter follower sent me a message to warn me about what had just happened. It was horrible, I had to go around all of my SM accounts and change my password b/c a lot of them had the same one – Thank God I had an account spreadsheet with my logins; I went down each one and changed.
Be careful with third party software about twiitter.
It will takes a dedicated security system that can really address the exposed areas in Twitter to block the types of breaches that have occurred. Some are real hacks while the rest are simply gaming the system. While our company cannot prevent motivated individuals from gaming Twitter.. we have sent Twitter an invitation to consider deploying our patented software on their system.
It has been tested by experts to be fail safe.. and we hope Twitter takes us up on the offer. As a regular Twitter user… I want my account to be secure.
My account @dollarforgeorge was hacked into resulting in nonsensical tweets being regularly posted to that account. I suspect the it happened after I began using TwitRobot (may not have the name exactly right). I’ve seen one other account with the same sort of babble. I changed my password and that seems to have solved it.
I was suspended for five weeks with no contact. I think everybody you mention it to thinks the worst of you.
Then I was sent this message nearly a week ago.
“we do apologize for the wait. It looks like you got caught up in some sort of spam cloud (through no fault of your own). I’ve restored your account; please let me know if you encounter any issues in the future.”
Happy I sign in and find that little owl still on my screen saying still suspended. I have made several more approaches to complain that no one has switched me on. I now expect to wait at least another month before I hear.
This time I have changed my sign in. The whole of twitter is full of people claiming they can get you x times a million followers. Twitter do nothing about these application providers, who could be con men.
Wow, now I think I understand the lag time in being able to use my account. Originally started in April ’09, just now able to get back to my profile. What must we do for security? Spreading malware and other negative programs is so counter productive. Who are these people that exhale evil? Truly better to release love and inhale peace and light. Seek beauty inspite of the chaos.
I use Twitter mainly for socially marketing my safety and security web site. So far I haven’t had my account hacked; guess I don’t have enough followers to bother with. Thanks, Chris.
Sounds like Twitter could be the next MySapce…
I left MySpace and vowed never to return after the sheer amount of messages I was getting from friends’ who’d had thei accounts hacked.
I have not seen or had any problems with security on twitter, I do have more of an issue that twitter has turned into nothing but a marketing tool for website owners and is way over rated now.
This blog at Google belongs to me. The whole Bible in questions and answers. A homosexual changed the verse “Two will lie on a bed, only one will be taken” to “Two men will lie on a bed, only one will be taken”
The only way to deal with hackers is just lock them up and throw away the key.
thanks for great article. I didn’t know much about twitter.
It’s important to be sure about any third party services people sign with before providing their sensitive data. Thanks so much for sharing this.
Regarding 3rd party apps, it’s not just twitter that you should be worry about. Facebook is also another and greater security risk as so many people install games, quizs, calendars and enhancements without realising that by installing these apps, they’re giving the app access to their personal information.
You’re right about not letting these 3rd party applications getting access on your Facebook as access to your Facebook also means access to your email! So be careful about giving out personal information as well as credit card information. Fraud online is becoming pandemic indeed.
It’s articles like this that make me glad I stopped hanging around on twitter. I never feel comfortable giving my password to any third parties, no matter how cool the feature. I guess sometimes it pays to be paranoid! LOL
I hope they find a way to stop this though, so many people get hurt.
Back to the Woodstock revival!
Have a great day and thanks for the great article!
Thanks for this very informative article.
Twitter suspended me today(ouch) with no explanation or anything. (except under investigation, whatever that means)
In their TOS they mention things like malware, but I’m certainly not trying to attack people. It takes to much time to build a twitter page to risk getting it shut down.
I guess a lot of innocent people will fall under these new security measures. Of course I was unaware that services like tweetlater or ping.fm would open me up to being a target either!
Social Networks! Two steps forward and 10 steps back!!
Should I give up?
Getting your twitter acct hacked or coming by here and seeing you guys went out like suckers and made your links no follow
NOT COOL peace I’m out
Mixx just tried that crap
I wonder how much of this is our own fault. Social environments like twitter lure us into a false sense of security. People use their pets names or kids birthdays as passwords on twitter when they would never dream of doing that with their bank account. I have some experience with online security, and so far I’ve only seen one instance of real “hacking”. In every other circumstance I’ve seen security breached it was a case of the victim blabbing his/her password, writing it down someplace, or using an easy to guess password like their spouse’s name.
Twitter Should take some action on Security so that customers will feel happy.
Hello,
I used twitrobot some time, but stopped now after they changed their login system.
I tested and noticed they were hijacking my twitter password
apparently for their own purpose.
Password seemed to get changed everytime after some while, I allowed twitrobot to access to my account.
That happened in my two separate twitter accounts also during my tests.I first changed my password for test purpose, allowed twitrobot to access and guess what, after some while my account was nonaccessible informing incorrect login credentials.
This happened two times in my both twitter accounts
So that proves me the twitrobot is not realiable service, and I stopped to using it. Just avoid it!!
Service seems good..but…you know what I mean..
Hope this help..
just got suspended… out of nowhere.. pretty disappointing