Phishing is for the birds

One of the largest threats facing users today is from Phishing attacks, or social engineering attempts at getting the average person to click on a malicious link.

photodune-5417415-twitter-s
The most common form of phishing comes from email however, another form can come from sources like social media, such as Facebook or Google+, services that typically have anti-spam, phishing and exploit features.

Though with every successful integration of anti-spam, anti-phishing and anti-exploit functionality, the bad guys go right back to the drawing table to find a new way to make your life miserable.

This post is not really about an instance of Phishing but rather the potential for it, now on Twitter.

Back in 2011, Twitter introduced an option to a bunch of accounts (but not all) to get direct messages on their twitter account from people they didn’t follow, which is the current requirement.

Obviously it didn’t go well because soon after, that feature went away.

However, it’s back again!  This time the circumstances are the same, a bunch of accounts have the feature (which is automatically turned OFF) but not all, me included =(.

twitter_dm-100058034-orig

Courtesy of Tech Hive & Twitter http://goo.gl/VD7xJt

The problem here, is that one has to consider the potential for not only spam but also phishing and exploit messages being sent directly to a user (just like with email).

How many of you tweeters would say that while they may not trust 90 percent of their e-mail, if they got a direct message on Twitter, they are more likely to click on a link included with it?

Either way, trust and the internet should not be two terms that go hand in hand since (as I heard in a documentary recently) “The Internet is a bad neighborhood.”

So while we are on the topic of Twitter and security, let’s talk about a few other features that Twitter users might find useful in ensuring their accounts stay secure.

Security and Privacy:

When logged into Twitter, go to your account settings (the gear looking thing next to the compose button, then click on “Settings”). In the Security and Privacy Tab to the left, is the treasure trove of Twitters security settings.  Let’s look at the security portion first.

Security

The screenshot above shows the settings tab on my account, I disabled my usual settings to keep the bad guys guessing!

I highly recommend using either the “Send Login Verification Request To Your Phone or “Twitter App” Options, they do make logging in a little more of a pain but I would think it was worth it to avoid sending spam tweets to all your friends, potentially infecting your grandparents with Ransomware or having some hacker group pwn your account.

The Password Reset option of requiring personal information is TOTALLY REQUIRED.  While it might not be a sure fire way to avoid unauthorized logins, it’s still good to have extra security to make it a bit more difficult for the bad guys to take over your account.

The next section is labeled Privacy and while the options I am going to discuss do follow under that label, they are just as important for security.

Privacy

Tweeting, just like posting to Facebook or screaming your inner most thoughts out of a moving bus in the middle of a crowded city, can give away a lot of personal information about you, bad guys can use this to create a personal file on you and maybe even use things you mention in your status updates and tweets to answer security questions for other accounts.  An example of this is:

  • Tweet: Going to see my Grandma Shirley today, really excited and I know my Mom is too! #YAY
  • Gmail Security Question:  Maternal Grandmother’s First Name:

See my point? Now the first option in the Privacy tab keeps your tweets only to people who you want to see your tweets, no one else.  This helps to keep those personal things you tweet to people you trust and not into the hands of a bad guy using a search engine.

The second option is adding a location to your tweets, for this option I only have one opinion on it: NEVER ENABLE THIS OPTION!

Unless you are a world traveler with no actual address and constantly on the move, adding locations to your tweets are great ways not only for cybercriminals to find out very personal things about you but also non-cyber criminals who had been following you on Twitter know exactly when to break in and rob you.

I highly recommend, regardless of the social media outlet you choose to use, never ever put a location down unless you are talking about the address of a burger joint you may or may not visit in the non-specific future.

Conclusion

Well I hope you enjoyed today’s look at Phishing and how to keep your Twitter safe from predators, if you want more information about Phishing attacks please check out some of our previous blogs.

Thanks for reading & safe surfing!

ABOUT THE AUTHOR

Adam Kujawa

Director of Malwarebytes Labs

Over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.