topleft
topright
Twitter Scammers Looking for Easy Prey Print E-mail
Share This -
Digg
Delicious
Slashdot
Furl it!
Reddit
Spurl
Technorati
YahooMyWeb
Monday, 27 July 2009

By Chris Veltsos

The majority of Twitter users don't mind sharing their tweets (i.e. their Twitter updates) with the rest of the world. After all, sharing ones thoughts/actions is at the core of social networks like Twitter, Facebook, MySpace. However, what users often don't realize is that in aggregate, their tweets paint a picture about who they really are.

Take for example those who tweet about hating their jobs. Using the search feature in Twitter, it is possible to gather scores of users who have recently tweeted on their negative feelings about work. This information is useful in the hands of someone looking to make contact with an insider, usually for nefarious purposes.

Another aspect of one's public twitter stream is whether (or in some cases how often) someone has fallen for a scam on Twitter, be it a phishing scam that they simply re-tweeted or a click-jacking attack that suddenly floods one's followers with tens or hundreds of dangerous tweets.

Let's explore this item a little further.

Recently, several users fell prey to a scam promising to increase their number of followers. When they clicked on the link promising "tons of followers," users were asked for their username/password. This allowed the scammers to then use that account to spread their message onto more people.

The real danger behind such lapses in judgment, giving another site your (Twitter) credentials, comes from what it says about the victim. By monitoring patterns of behavior, attackers can zoom in on easy prey who appear to engage in a pattern of risky behavior by clicking dangerous links or providing sensitive information. Worse, if that person is one of your employees, attackers are likely to be able to extract username/passwords from the unsuspecting user again.

How confident are you that one's Twitter password isn't also their password for work email, bank account info, etc?

Copyright © 2008 To Present · Information-Security-Resources.com

Chris Veltsos - AKA Dr.InfoSec - is a faculty member in the Department of Information Systems & Technology at Minnesota State University, Mankato.




Comments (2)
RSS comments
1. 07-27-2009 10:40
 
I'm afraid that we are just starting to see the tip of the iceberg with this lax user security behavior; as the ecosystem of third-party applications blossoms through the use of the social network APIs, the habit of providing user credentials on various sites is going to get more ingrained. Some of these apps offer good value, but you should limit your use to a select few and change account passwords often.
Registered
 
Frederick B. Kauber
2. 07-28-2009 09:42
 
I find it interesting such people actually exist. So, if I understand this article correctly, someone asks a person for their User ID and their Password and the "Twit" gives it to them after a promise of tons of followers? How gullible can people be? 
 
Chris brings up a valid concern, how do you know someone's password for Tweeting isn't that person's password for their bank account, for their security access to proprietary information at work, or even their password to gain access to their homes? 
 
File this one under, blame the human not the application. Still, how can sites like Twitter help people to help themselves? 
 
Are there companies out there that have any type of warning software to keep a person from givng out such information freely?  
 
Further, if it is the "Tip of the iceberg" as suggested by Frederick Kauber, how can companies protect themselves from such actions?
Registered
 
Ron Kost

Only registered users can write comments.
Please login or register.

 
Share This -
Digg
Delicious
Slashdot
Furl it!
Reddit
Spurl
Technorati
YahooMyWeb
< Previous   Next >




White Paper Library

Copyright © 2007-2014 CIOZones. All Rights Reserved. CIOZone is a property of PSN, Inc.