• United States



by Mary Landesman, Senior Security Researcher, ScanSafe

Twitter Attacks: How to Alert Connections of a Social Network Hack

Feb 23, 20103 mins
Application SecurityCybercrimeData and Information Security

You've been hit by a social network scam on Twitter and don't know how to warn your contacts? Mary Landesman of ScanSafe offers four simple, clear steps to help protect your contacts

Twitter has rapidly become one of the most popular social media and microblogging services on the internet. Unfortunately, in the Web world, popularity often leads to increased security concerns. Twitter has also become a popular tool with cyber criminals, who are increasingly using it as a vessel to spread malware.

This past weekend, Twitter users were hit with a phishing scam that caught many off guard. (Attacks on social networks tripled in 2009, read more here)The innocuous sounding message included a link that, if clicked, led to a spoofed Twitter login page. Anyone who logged in via that page would have had their Twitter account credentials stolen. Those victims then had the same message tweeted out to their contacts, thus causing exponential spread of the phishing attack. The messages sent were similar to the following:

Lol , this is funny

Lol. this is me??

Lol. this you??

Read about some of most common ways users get taken on social networks in 5 Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid

So what should you do if you fall victim to a phishing scam turned social network worm? Be a friend and alert your contacts that messages posted are not actually from you. In general, the ABCs of proper etiquette after a normal social networking scam are:

~ Acknowledge the attack to anyone who might have been adversely impacted;

~ Be detailed: Tell them what message they might have received as a result of the malware/phishing and what might have happened as a result;

~ Caution your contacts: Use this as an opportunity to remind everyone that just because they think a message comes from someone they know, there really is no way of telling for sure. If they ever do click a link that then leads to a login page or to a video codec install, they should close the page immediately and contact their friend via some other method to inquire (and possibly alert them) about the seemingly malicious link.

When Twitter accounts are phished, the 140 character limitation makes it a bit harder to convey the message. Using as few words as possible, try to include enough details about the message sent so folks can identify it, ended with a brief “I’m sorry”. Don’t ever include a link in that apology; after all, it was clicking on a link that got folks in trouble in the first place.

This brings up another point. Instead of typing very brief generic messages when sending legitimate links, get in the habit of including some identifying info so that the recipient can tell that the human you really did intend to send it. For example, instead of sending “Check out this funny video”, always include more specifics like, “Funny video! Reminds me of that crazy guy we saw on the beach in the Bahamas.” If enough folks adopted this habit, it would become much easier to distinguish the really generic messages as being likely phishing/malware attacks.