Things You Need to Know About Twitter Security
There has been more than one story in the news recently about Twitter accounts being hijacked. The most recent examples of note include the accounts of Britney Spears and famed blogger/entrepreneur Guy Kawasaki. These issues have highlighted some potential dangers of using the service, or really social networks in general. Have you encountered security issues with Twitter or other social networks? Share with WebProNews readers.
Amit Klein, CTO of Trusteer, a security firm, who counts the nation’s largest direct bank, ING Direct, among its customers, feels that Twitter account hijacking is an issue that more people need to be aware of. WebProNews asked Klein a few questions about it, and the following is the resulting Q&A session.
WebProNews: Please talk a little bit about what is happening when Twitter (and other social network) accounts are hijacked.
Amit Klein: Typically, criminals hijack Twitter accounts in order to spread malware. That is, they abuse the hijacked accounts to post messages to all the "followers", with a link to a site that serves malware. In the Guy Kawasaki incident, for example (not a classic account hijacking, but still a malware spreading campaign), of the 139,000 followers, it is estimated that hundreds got infected. Earlier this year, accounts of 33 celebrities (among them Barack Obama – 1.6 million followers, and Britney Spears – 2.1 million followers) were hijacked.
WPN: How big of a problem is hijacking of Twitter (or other social network) accounts?
AK: This is quite bad, since a twitter account enables one to send malware links and plain spam to all followers. Of course – the more followers, the more widespread the attack is.
WPN: How common is it?
AK: Over the last 10 days, we’ve seen two high profile incidents, in which an account was abused to serve spam and malware. One is the Guy Kawasaki incident, and another is Britney Spears.
WPN: Has it been limited to "high profile" accounts, or is it becoming common for regular users as well?
AK: Obviously the media covers only the high profile attacks (celebrities, politicians, etc.). We believe that attacks against more average accounts are also taking place – quite possibly via mass production utilities.
WPN: What are the dangers that come with it?
AK: The most obvious danger is that a hijacked account can be used to serve malware and spam automatically to all a user’s followers. An account can be hijacked a long time before it is abused. Attackers usually wait for the right opportunity to hit as many users as possible.
While twitter is currently used to spread malware, it’s a perfect platform to commit fraud as well. Followers trust the messages that come from the person they follow, while in reality the message could be spam trying to convince followers to fall to a scam. A very simple example would be a request to donate a small amount of money to charity (for example to support the situation in Iran). The link would go to a fraudulent website that records credit card numbers. A high profile account that sends such a message could result in hundreds of thousands of compromised credit cards.
Another example is false rumors about companies and stock, which could result in pump and dump attacks.
WPN: What can users do to protect their accounts?
AK: To secure their Twitter presence, users needs to take several actions:
1. Protect their twitter credentials – users need to be vigilant and keep on the look out for Twitter phishing attacks, and pharming (DNS poisoning) attacks. Users can install client side security tools that ensure they are only providing their Twitter credentials to the genuine twitter website. In doing so, they will protect their credentials against keyloggers or malicious browser plug-ins ("man in the browser" attacks).
2. Control and protect their twitter information. As tempting and convenient as it may be, using 3rd party applications and services that enhance Twitter may increase the exposure of users to abuse. Every website which is allowed to automatically post to a user’s Twitter account adds attack surface that criminals may exploit.
WPN: Please feel free to discuss anything else related to the subject that you feel people should know.
AK: Somewhat akin to phishing, is a practice called "twitter-squatting", wherein names of people/organizations are registered by fraudsters (or sometimes pranksters). It makes a lot of sense to monitor for such registrations, or better yet, to register brand names and individual names as early as possible to thwart such attacks.
Another threat associated with Twitter is abusing "Trending Topics" to serve malware. The attack involves sending many tweets (with malicious links) with some special keyword in them, so that this keyword will show up as a trend in the "Trending Topics" list at twitter.com. A user that views a sample tweet for this keyword and clicks on the malicious link will be served malware.
Both examples show how well established web attacks carry over into the twittersphere. Cyber squatting is a well-known practice on the web, which is now occurring in Twitter. Likewise, search engine poisoning is a common practice on the web, and now in Twitter also.
Security-wise, Twitter should be treated both as an individual website with its own potential security issues, and as a microcosm into which many existing web attacks can be mapped. This makes securing Twitter harder than protecting typical websites.
WebProNews would like to thank Amit for sharing the above insight into Twitter security issues. Has your Twitter account ever been hijacked? Have you been a victim of Twitter abuse of any kind? Tell us about it.