Beware Social Phishing

This post was generated by Dashter

Oscar GonzalezOscar Gonzalez – @notagrouch
@RossTeasley http://t.co/9ZXwoT9I – Please take a look at this guys. Pay attention to the URLs you click on.

The link provided goes to an image posted by Ross – with a very common phishing attack designed to snag login info from your Twitter account.

So why does it matter? It’s not like you’ve got personal information on your Twitter account, right?

The dangerous part about a site like Twitter is two-fold: Network effects, Twitter app access and short URL’s.

Network effects can be powerful: Your single account can be hijacked and distribute links to your followers (and random people interacting with your Twitter account) extremely quickly. Imagine you have 100 followers. If even 10 of those people click the link and become ensnared by the phishing attempt – and each one of those people have 100 followers – then suddenly that single tweet is worth 1,000 new victims. Network effects happen unbelievably quickly – and phishers just need to catch a small percentage to gain access to many accounts.

Twitter app access is important to know about. Most twitter apps have full control over your twitter account – meaning they can post tweets at any time. Most people don’t pay attention to what they’ve posted – entirely because they assume that they’ve been in control of their account the whole time. When was the last time you looked at your most recent tweets?

Susan ReveltSusan Revelt – @SusanRev
Is phishing on twitter called twishing?

Once an app is allowed access to your Twitter account (easily done) it can now post anything at any time. So if you’re hit by a phisher – you may also have been “twished” with a litany of potential bad apps. Hit by a phishing attack? Once you restore your account, you should probably go check your “allowed” apps list:

First, log in to your Twitter.com account (make sure you go to, ya know, Twitter.com):

Click “Profile”

Click “Edit Your Profile”

Click “Applications” on the tabs

You can now review all the apps that have access to your account. Notice almost everything will have “read” AND “write” – some even have access to DM’s.

So keep that in mind if you are curious as to what can access your social media account.

But why does this all matter? Well, because short URL’s are a phisher’s best friend. They can swipe access to your account – lay dormant for hours, days, or weeks (few are this patient, but the smart ones would), and then hit en masse when you’re not paying attention. Thanks to the concealing abilities of a short URL, they can send your followers virtually anywhere – say a login to a bank account, email account, government “spoofed” site, etc. We’re doing so many transactions online nowadays, most people aren’t paying close attention to where links are headed. Unlike email phishing scams, which often require complex messages that take hours to compose and manipulate to make appear like a bank or professional email – a 140-character tweet is a perfect playground for malicious attacks.

So, pay attention to phishing on your social profiles. Your followers are actually the ones who will likely be victimized by your snared account. Check your apps regularly, and if anything isn’t welcomed, immediately revoke access – and potentially flag it to Twitter in case they need to purge the app from their servers.

Think phishing isn’t that big a deal? Think I’ve missed something? Drop a note in the comments and share! Thanks for visiting.