If you receive a direct message or a direct message email notification that redirects to what looks like Twitter.comódon't sign in. Look closely at the URL because it could be a scam.We've identified a phishing scam directed at Twitter users and we don't want you to get tricked into giving your password to a scammer.
This particular scam sent out emails resembling those you might receive from Twitter if you get email notifications of your Direct Messages. The email says something like, "hey! check out this funny blog about you..." and provides a link. That link redirects to a site masquerading as the Twitter front page. Look closely at the URL field, if it has another domain besides Twitter but looks exactly like our page then it's a fraud and you should not sign in.
Msg#: 3819663 posted 6:47 pm on Jan 5, 2009 (gmt 0)
It appears that quite a few big names got hacked with Fox News and Britney Spears in the mix.
I'd expect to see much more of this moving forward. The way people share their usernames/passwords with third party services is pretty alarming. The article even makes mention of it...
And because there are so many third-party applications based on Twitter's application program interface (API), tons of avid users are used to throwing their Twitter passwords around left and right. That is, it goes without saying, probably not the safest habit to get into.
Msg#: 3819663 posted 7:19 pm on Jan 5, 2009 (gmt 0)
While this kind of news may give some of us a laugh, there is a more serious issue of infrastructure design that this news really underscores.
Too many of these sites are not paying attention to basic security concepts. A failure to really do things that are obvious like maintaining some form of educational programs for users to help them understand the nature of the "Bad Guys" and how to avoid identity theft are lacking at major sites. If a top CNN anchor can fall for this kind of nonsense, certainly "joe 6 pack" does not have much of a chance. Our job as webmasters is partially to help folks understand how to secure themselves because it goes to our own best interest to keep trust and security online high on our priority lists.
Perhaps sites will learn the benefits of using such basics as encryption keys to help users authenticate themselves. While that may not help in cases where a user's machine has already become a compromised zombie like its owner, for the slightly more alert, it could present a vehicle to idenfity and secure users.
Of course, with "trusted" certificate issuers still working from MD5 algos rather than SHA for their "secure" certs, even core infrastructure companies need to pay better attention. But *that* is a whole other story.
Msg#: 3819663 posted 8:35 pm on Jan 5, 2009 (gmt 0)
I suggest those who get hacked keep a close eye on their spam email folders for emails originating from their own websites. It's not so much the twitter accounts and ability to send twitter messages some people want to hack, they'd much prefer sending out spammy emails that appear to be from you. Getting into your twitter account is just an added bonus but they are checking to see if that infor gets them into juicier places too.
[edited by: JS_Harris at 8:36 pm (utc) on Jan. 5, 2009]