Sunday, January 04, 2009

Tips To Avoid Twitter Phishing

Unless you've been under a rock over the weekend, or maybe you were just unplugged, you've probably hear that Twitter has been hit by a round of serious phishing attacks. The Twitter-verse has been a-buzz all weekend long with numerous reports of DMs being sent out with links to phony Twitter pages.

The nuts and bolts of it:
The attackers are sending out Direct messages (DMs) with a link that send users off site to a fake log-in page. Unsuspecting users then log-in to that page in turn handing over the log-in credentials to the phishers. They then use those log-ins and accounts to send more DMs creating a vicious cycle.

Avoiding phishing scams is just a matter of a little common sense.
Phishing is nothing new, people have been scamming users for years with these techniques and they are almost always the same. It usually involves a very well copied log-in page, a poorly copied URL and a few unsuspecting users to get it all started. Once one user sends out a message to a trusting friend then it begins to spread like wildfire.

Here are a few tips that are very helpful in avoiding these scams.

    Don't log-in to any page without looking at the URL first
    This seems simple enough, but how many times do you really look at the page you are logging into? If you look at the screenshot taken by Twitter you can clearly see its not the correct page. This info applies to any page, not just Twitter. Phishing has been around long enough that users should know to double check their URLs first. In this case the URL is not masked very well and easily spotted!

    Use your bookmarks, back button or go directly to the main site
    If you click an off site link and somehow end up on a log-in page it is always best to get the hell out of there. Use your back button, click your own bookmark or type the URL in directly. You are always better safe than sorry

    Change your passwords often
    Yes this can be a pain in the rear, however you should be changing your passwords a few times a year just to be on the safe side.

    If it is too good to be true it usually is **Read update below**
    The latest round of phishing DMs involved getting a free iPhone, do you really think they are handing these things out like they are candy? The old adage has always rang true, if it sounds too good it usually is. So avoid it like the plague.

    Don't be a blind Re-Tweeter
    Don't blindly Re-Tweet those messages sent to you by people you follow. Sending out links you aren't taking the time to check-out yourself puts your followers at risk. If you don't checkout the link first then you might just be sending out a link to a phishing site or even worse something with malware or viruses!

    Trim the fat
    Pro-Blogger Chris Brogan was scoffing at the idea of having to unfollow 25k Tweeters. While most of us are no where near that level I'm sure we all have Tweeters on our page we don't know and probably don't need. Now would be a good time to click through some of those followers and check them out. Contact and or remove anyone that looks suspicious.

For those of you unlucky enough to have already been hit by the phishing scam don't fret there is hope for getting your account back. Follow the steps outlined in the Twitter blog post for having your password reset. Once that is done I'd suggest doing some serious makeup with everyone on your follow list!

You can follow updates on the attack by subscribing to the Twitter topic #phishingalert as well as the Titter topic #phishing.

Update - Information regarding the iPhone DM scam is now available.
Twitter users are reporting that they are receiving direct messages with links for a chance to win an Apple iPhone. The links in the DMs are sending Twitter users to two different sites suggesting that visitor sign up for a chance to win a free iPhone.

You’re asked for your gender, your mobile carrier and eventually your mobile number. Reading the fine print however shows you that by signing up for this promotion, you’re also signing up for a third party text messaging service which starts at $5.99 a week. For more details checkout Venture Beat's post "You don’t want that free iPhone — another Twitter scam breaks out".


  1. Anonymous10:22 AM

    Thanks for the info. this phishing stuff sucks! It's pretty much the first time I've had some worries with Twitter!

  2. The fact that this spread so fast and hit so many users seems to show that it really caught a lot of people off guard. I probably shouldn't be but ersonally I was surprised to see how wide spreed the phishing had become. Phishing is nothing new and users should be taking steps to avoid the possibility of being scammed on any and every site they visit.

  3. Congratulations,

    This post is on the latest Carnival of Computer Help and Advice.


All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you