By John Dodge
Posting in Design
Phishing attacks in Twitter and Facebook are on the rise again and victimized me recently. Maybe the same thing has happened to you. Here's some pointers on how to defend against them.
Phishing was not on my list of things to educate myself about until I was victim to a couple of attacks over the past month in my Twitter account. Who wants to bother with such things? Maybe you should before it happens to you.
Never sharing logins and passwords is common sense but people do it. And periodically changing important logins and passwords is not a bad idea either. Those are the basics and there's an abundance of anti-phishing advice online.
Here's what happened to me.
Somehow, a hacker appeared to get my Twitter login and password and started sending messages to my followers: "I made $426.23 online today with [web site URL here]." I'm not going to identify the web site because that's exactly what they want me to do, but as you might imagine, it's was one of those make money online nonsense sites.
CNet reported a week ago (see image) that it was not a phishing expedition because the victims were lured to a spammy make-money-online site, not sites designed to trick the unwitting into divulging log-ins and passwords. CNet also said the same thing was occurring on Facebook.
If phishing was not involved, how did they get into my account and masquerade as me? Had I my Twitter account been phished? That I don't know scares me.
Several of my followers notified me that my account had been hacked and urged me to change my password which I did. That's when the fun started.
At that point, the Phisherperson or software repeatedly tried to get into my account, but was blocked because the password had been changed. That alerted Twitter which sent me an e-mail urging me to change my password. Once I did, Twitter temporarily locked me out of my own account.
Twitter in pure twitterese told me to "chillax" while it was shut down and try to login after a while. Chilling with an axe did not seem like such a good idea to me.
Within 12-18 hours, the account was live and seemingly secure again. I learned of the second suspected phishing attack yesterday when Twitter sent me another message telling me to change my password. When I ignored it, Twitter sent me a second message about 90 minutes after the first one. It meant business so I follow the instructions. Again, I was locked out of my account, this time overnight.
Whether there was an actual phishing attack is unclear because no bogus messages were sent to my followers of which I am aware. I suspect I was on a warning list because of the first incident.
I have no clue as to how the hacker successfully phished my twitter information. After all, I didn't fall for any phishy e-mails that ask login and password which I would never give up. The effect has been chilling.
This morning, I removed more than 50 semi-important logins from my online contact list (maybe 40 per cent of them were active or even remotely useful). Could they have been compromised? Is there a hole in my cloud? Were they really deleted?
I put the contacts on a sheet of paper and stuck it in a hermetically sealed jar on Funk & Wagnalls porch as Johnny Carson's sidekick Ed McMahon would say.
The episode was little more than an inconvenience because it gobbled up some time on my end, but it served as a warning to stay vigilant for more insidious phishing attacks.
Now I can "chillax."
Follow me on Twitter (psst...it's safe...for now).
Nov 10, 2009
Its only classed as phishing if you enter your login details into a site you believe to be the true site you want to access or you enter your login details into something that will then use your account to generate some useful information (supposedly). Two common examples of this are paypal phishing whereby a crook simply copy and pastes the paypal page source, adds in a little php/asp/whatever for the form and then somehow passes you a dodjey link like "paypal.secureloginsrvr.com" commonly in an email. That is direct phishing whereby it looks like paypal, buts its not. Indirect phishing would be something like those msn block checkers that ask you to enter your acct details to see blocked contacts, these don't work (obviously). Note: direct and indirect phishing is a term i came up with to give a name to the differences, so googling it for more info probably won't help. ------------------------- What is happening here could be one of many things, the chances in someone hacking the twitter database and using your acct is improbable, your account isn't exactly special, they would gain greater from a high profile acct like a celeb or well known specialist in the area they are exploiting (i.e. a money making scam may use a millionaires account like someone off dragons den) Personally i can see three possibilities: 1. they are cracking your password using a dict or brute force attack. Theres many tools for pentesting that can be used for illegal purposes. 2. you have used the password elsewhere, and the site admin isnt genuine and keeps your passwords in cleartype so he can read them and see if they work for other sites (probably not the case if you have changed passwords a few times and you don't use the same pass for multiple sites). 3. You may have spyware or similar running sending either saved passwords or keystrokes or some other info (cookie info and session ids can also be used without the need to even know your username/password if twitter don't lock cookie/sessions to IP's). In the event of anything regarding security i would always advise that you run virus scans and such. NOD32 hasn't failed me with trojans and viruses, and spybot S7D is what i regard to be the ultimate for checking and removing any bots/loggers e.c.t. AdAware is also a good app to run if your over protective but it has decremented in its value to us IT people in the past few years. I don't know your level of skill so i apoligise if this is stuff you already know or you feel it undermines your skills, but hopefully someone will find the info interesting and useful. For more info please feel to contact me at email@example.com
You say: "This morning, I removed more than 50 semi-important logins from my online contact list" What is a login and how do I remove them?
MY Facebook account was compromised. It was NOT phishing. The ONLY way someone could gain access to my account and insert an infected image was via facebook. Cloud computing has its drawbacks and I suspect this is a great example. I suspect someone used a maintenance port or "logmein" type infiltration to Twitter and Facebook and hacked the accounts. Servers are houses with open doors. The correct crook with the right key gain access. I also suspect the stock market computers were hacked in 2008 and fed data to make bad stocks look good. It C A N happen. firstname.lastname@example.org.
Never let Firefox or any other web browser remember your log in/passwords.. That is pure idiotic. How did they get my password and log in information? YOU SENT IT TO THEM!! lol
Will check out thread that...Twitter has locked me out again for no apparent reason. This attack is much bigger than Twitter is letting on...it is virtually disabling my usage...I don't mind changing passwords and then fixing them in Tweetdeck across three computers, but Twitter needs to have a better handle on the problem AND MORE SUPPORT...
I've been trying out a new website lately that seems much safer than Twitter or Facebook for sharing. Have a look at https://www.threadthat.com.
"periodically changing important logins and passwords is not a bad idea" ... Though I can't agree with you more, changing passwords all the time is easier said than done. Most active online users like you and me easily have from 20 to 200 accounts to manage. When convenience and security need a balance, I use my Keepass (a neat password mgr), integrated with MashedLife.com to enjoy life and safety, and stay organized. For 3 years. And I have more than 100 social & blogging accounts, and I'm happy man that have not been phished or I have stayed away from the account management hassles since then.
Very good article mate, been loving a lot of your stuff recently. Something that I came across recently that you may be intersted in is this website (www.theisbook.com) that generates your Facebook Status for you when you're not feeling very creative: http://www.theisbook.com/status-generator/ Check it out and thank me later Keep up the good work, I look forward to reading more of your stuff.