Tuesday, March 2, 2010

Twitter Phishing Scams: Reclaim a Hacked Account, Prevention Techniques

Periodically, I get emails from Twitter referencing direct messages from someone I am following and that include a link to a phishing scam. A phishing scam is an illegitimate web site, or in this case, an illegitimate Twitter application that tricks you into giving it your username and password. I was fooled once by a Twitter phishing scam but quickly realized what happened and changed my password. Phishing scams are more malicious than Twitter spammers because Twitter spammers are typically only marketing a web site or service and not trying to steal your password.

Examples of phishing scams I have seen include "somebody wrote something about you in this blog here (insert phishing link)": 

"This you???? (insert phishing link)":
Your Twitter account can be hacked by having your username and password compromised in one of three ways:
  1. A third party Twitter application not using OAuth failed to protect your log-in credentials. *OAuth is a technology that allows you to log-in into a third party Twitter application without giving the third party application your Twitter password.
  2. You were fooled by a phishing scam; phishing links use the same tiny URL redirects that are used for many links on Twitter.
  3. Your password was weak and was guessed by a hacker or hacker software.
You can reclaim control of your account by changing your password to something stronger and revoking access given to third party Twitter applications. You can fight phishing scams and prevent future outbreaks by checking your direct messages sent folder to see if there any illegitimate messages being sent from your account. In addition, you can notify others who have unknowingly sent you phishing scam direct messages. In sum, beware of any links received via a direct message and consider only using third party Twitter applications that employ OAuth. There are more suggestions that can be found on Twitter's support pages.

Update 05/12/2010

I can't remember the last time I received a phishing scam message from Twitter so they must be doing a better job combating scams.

No comments:

Post a Comment