<![CDATA[Greetings! I'm Mark Micheau, manager of research and translation services
Today, I have a great article to share with you on Twitter security and it
comes from a very osund source. I urge you to read on and I wish you a
Thursday, July 02, 2009
Security Expert Talks Account Hijacking
There has been more than one story in the news recently about Twitter
accounts being hijacked. The most recent examples of note include the
accounts of Britney Spears and famed blogger/entrepreneur Guy Kawasaki.
These issues have highlighted some potential dangers of using the service,
or really social networks in general. Have you encountered security issues
with Twitter or other social networks? Share with WebProNews readers.
Amit Klein, CTO and Founder of Trusteer, a security firm, who counts the
nation's largest direct bank, ING Direct, among its customers, feels that
Twitter account hijacking is an issue that more people need to be aware of.
WebProNews asked Klein a few questions about it, and the following is the
resulting Q&A session.
WebProNews: Please talk a little bit about what is happening when Twitter
(and other social network) accounts are hijacked.
Amit Klein: Typically, criminals hijack Twitter accounts in order to spread
malware. That is, they abuse the hijacked accounts to post messages to all
the "followers", with a link to a site that serves malware. In the Guy
Kawasaki incident, for example (not a classic account hijacking, but still a
malware spreading campaign), of the 139,000 followers, it is estimated that
hundreds got infected. Earlier this year, accounts of 33 celebrities (among
them Barack Obama – 1.6 million followers, and Britney Spears – 2.1 million
followers) were hijacked.
WPN: How big of a problem is hijacking of Twitter (or other social network)
AK: This is quite bad, since a twitter account enables one to send malware
links and plain spam to all followers. Of course – the more followers, the
more widespread the attack is.
WPN: How common is it?
AK: Over the last 10 days, we've seen two high profile incidents, in which
an account was abused to serve spam and malware. One is the Guy Kawasaki
incident, and another is Britney Spears.
WPN: Has it been limited to "high profile" accounts, or is it becoming
common for regular users as well?
AK: Obviously the media covers only the high profile attacks (celebrities,
politicians, etc.). We believe that attacks against more average accounts
are also taking place – quite possibly via mass production utilities.
WPN: What are the dangers that come with it?
AK: The most obvious danger is that a hijacked account can be used to serve
malware and spam automatically to all a user's followers. An account can be
hijacked a long time before it is abused. Attackers usually wait for the
right opportunity to hit as many users as possible.
While twitter is currently used to spread malware, it's a perfect platform
to commit fraud as well. Followers trust the messages that come from the
person they follow, while in reality the message could be spam trying to
convince followers to fall to a scam. A very simple example would be a
request to donate a small amount of money to charity (for example to support
the situation in Iran). The link would go to a fraudulent website that
records credit card numbers. A high profile account that sends such a
message could result in hundreds of thousands of compromised credit cards.
Another example is false rumors about companies and stock, which could
result in pump and dump attacks.
WPN: What can users do to protect their accounts?
AK: To secure their Twitter presence, users needs to take several actions:
1. Protect their twitter credentials – users need to be vigilant and keep on
the look out for Twitter phishing attacks, and pharming (DNS poisoning)
attacks. Users can install client side security tools that ensure they are
only providing their Twitter credentials to the genuine twitter website. In
doing so, they will protect their credentials against keyloggers or
malicious browser plug-ins ("man in the browser" attacks).
2. Control and protect their twitter information. As tempting and convenient
as it may be, using 3rd party applications and services that enhance Twitter
may increase the exposure of users to abuse. Every website which is allowed
to automatically post to a user's Twitter account adds attack surface that
criminals may exploit.
WPN: Please feel free to discuss anything else related to the subject that
you feel people should know.
AK: Somewhat akin to phishing, is a practice called "twitter-squatting",
wherein names of people/organizations are registered by fraudsters (or
sometimes pranksters). It makes a lot of sense to monitor for such
registrations, or better yet, to register brand names and individual names
as early as possible to thwart such attacks.
Another threat associated with Twitter is abusing "Trending Topics" to
serve malware. The attack involves sending many tweets (with malicious
links) with some special keyword in them, so that this keyword will show up
as a trend in the "Trending Topics" list at twitter.com. A user that views a
sample tweet for this keyword and clicks on the malicious link will be
Both examples show how well established web attacks carry over into the
twittersphere. Cyber squatting is a well-known practice on the web, which is
now occurring in Twitter. Likewise, search engine poisoning is a common
practice on the web, and now in Twitter also.
Security-wise, Twitter should be treated both as an individual website with
its own potential security issues, and as a microcosm into which many
existing web attacks can be mapped. This makes securing Twitter harder than
protecting typical websites.
WebProNews would like to thank Amit for sharing the above insight into
Twitter security issues. Has your Twitter account ever been hijacked? Have
you been a victim of Twitter abuse of any kind? Tell us about it.
If you would like to learn more about us and the services we offer, then
please visit www.sterlingcreations.ca
If you would like to keep abreast of some of the most important happenings
affecting your lives today, then please visit
http://www.sterlingcreations.com/businessdesk.htm. There you will get the
latest news roundups on such topics as:
Stress, anxiety, and depression. News for retirees, seniors, and aging baby
boomers. Security tips for home computer users. Home business
opportunities, Internet business opportunities, small business
opportunities, business opportunities in Asia. You will also learn how to
obtain tremendous personal and financial satisfaction by selling your
knowledge and experience.]]>