Thinking Tech

Twitter, Facebook fertile phishing grounds

Twitter, Facebook fertile phishing grounds

Posting in Design

Phishing attacks in Twitter and Facebook are on the rise again and victimized me recently. Maybe the same thing has happened to you. Here's some pointers on how to defend against them.

Phishing was not on my list of things to educate myself about until I was victim to a couple of attacks over the past month in my Twitter account. Who wants to bother with such things? Maybe you should before it happens to you.

Never sharing logins and passwords is common sense but people do it. And periodically changing important logins and passwords is not a bad idea either. Those are the basics and there's an abundance of anti-phishing advice online.

Here's what happened to me.

Somehow, a hacker appeared to get my Twitter login and password and started sending messages to my followers: "I made $426.23 online today with [web site URL here]." I'm not going to identify the web site because that's exactly what they want me to do, but as you might imagine, it's was one of those make money online nonsense sites.

CNet reported a week ago (see image) that it was not a phishing expedition because the victims were lured to a spammy make-money-online site, not sites designed to trick the unwitting into divulging log-ins and passwords. CNet also said the same thing was occurring on Facebook.

If phishing was not involved, how did they get into my account and masquerade as me? Had I my Twitter account been phished? That I don't know scares me.

Several of my followers notified me that my account had been hacked and urged me to change my password which I did. That's when the fun started.

At that point, the Phisherperson or software repeatedly tried to get into my account, but was blocked because the password had been changed. That alerted Twitter which sent me an e-mail urging me to change my password. Once I did, Twitter temporarily locked me out of my own account.

Twitter in pure twitterese told me to "chillax" while it was shut down and try to login after a while. Chilling with an axe did not seem like such a good idea to me.

Within 12-18 hours, the account was live and seemingly secure again. I learned of the second suspected phishing attack yesterday when Twitter sent me another message telling me to change my password. When I ignored it, Twitter sent me a second message about 90 minutes after the first one. It meant business so I follow the instructions. Again, I was locked out of my account, this time overnight.

Whether there was an actual phishing attack is unclear because no bogus messages were sent to my followers of which I am aware. I suspect I was on a warning list because of the first incident.

I have no clue as to how the hacker successfully phished my twitter information. After all, I didn't fall for any phishy e-mails that ask login and password which I would never give up. The effect has been chilling.

This morning, I removed more than 50 semi-important logins from my online contact list (maybe 40 per cent of them were active or even remotely useful). Could they have been compromised?  Is there a hole in my cloud? Were they really deleted?

I put the contacts on a sheet of paper and stuck it in a hermetically sealed jar on Funk & Wagnalls porch as Johnny Carson's sidekick Ed McMahon would say.

The episode was little more than an inconvenience because it gobbled up some time on my end, but it served as a warning to stay vigilant for more insidious phishing attacks.

Now I can "chillax."

Follow me on Twitter (psst...it's safe...for now).

Share this

John Dodge

Contributing Editor

Contributing Editor John Dodge has written for the Wall Street Journal, Boston Globe, PC Week (now eWeek), EDN, Design News, Electronic Business, Bio-IT World, Health-IT World, Lowell Sun, Haverhill Gazette and Newburyport Daily News. He is based in Massachusetts. Follow him on Twitter. Disclosure