Recently I received several DMs from several different friends on twitter saying:
“hey this user is writing cruel things that are about you [bit.ly link redacted]”
Now I don’t follow such links, and I usually don’t click blind links either for that matter. I get snarky if you link me blind without at least telling me what it is, but that’s a rant for another time. The worst part about this, is that I received these DMs from several of my friends whom I thought for sure would not fall for such attacks.
If you were to have clicked or tapped that link, it sent you to a malware proxy that spoofed a Twitter looking web login page. It was in fact doing several things here, capturing your password and login for possible future use or hijacking and ‘authorizing’ the SPAM agent as an App on your behalf.
And I might note that since I got it from several friends that I do not think would click/tap links like this, it might also send spoofed DMs to everyone on the infected friends list to their friends from a random mutual friend. This has the effect of both making backtracking the infection difficult until the weight loss pill pitch tweets start, and bypassing a ‘followers only’ privacy setting.
Ok, but what does that really mean in english?
What this means is that even if you change your password right away, the SPAM agent can still send DMs to your friends with the dirty weblink and SPAM tweets about their pills to your followers.
So how do you know if you’ve been had? If you’ve been had what do you do about it?
On a secure connection, login to the twitter page and go here https://twitter.com/settings/applications and look at the entries there already. If in doubt of any entry on that list, REVOKE IT AT ONCE. You can always re-authorize it later when you wish to use that service. Changing your password is also a good security measure when you even think you have been hacked, phished, or infected.
I access twitter on a smartphone, how could I be compromised?
The phishing attack used the ‘APP’ API from twitter to conceal itself, just like any ‘tweet this’ tab on a news website or blog. Since your smartphone is not usually vulnerable to the nasties your desktop or laptop is, most people might lower their guard. Ironically, the way bit.ly works in the first place means that most users will accept the redirect and not question it.
Is Twitter to blame for a security lapse?
Perhaps, but then again, maybe not. A phishing attack makes use of the APIs companies release to assist 3rd parties to integrate with their service. I’m certain there is much gnashing of teeth at FailWhaleHQ though, so I’m fairly sure that they will do something about it, even if it will be to simply make things worse.
Be careful what you click or tap. Don’t follow login prompts from emails/blind links/bit.ly or other ‘short’ addresses. When you receive a notice that you think needs action, go yourself to the site in question and login from there, and don’t be surprised if whatever drew you to act was nothing more than an attempt to phish you. Don’t be a victim.