Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: rogerd
If you receive a direct message or a direct message email notification that redirects to what looks like Twitter.comódon't sign in. Look closely at the URL because it could be a scam.We've identified a phishing scam directed at Twitter users and we don't want you to get tricked into giving your password to a scammer.
This particular scam sent out emails resembling those you might receive from Twitter if you get email notifications of your Direct Messages. The email says something like, "hey! check out this funny blog about you..." and provides a link. That link redirects to a site masquerading as the Twitter front page. Look closely at the URL field, if it has another domain besides Twitter but looks exactly like our page then it's a fraud and you should not sign in.
I'd expect to see much more of this moving forward. The way people share their usernames/passwords with third party services is pretty alarming. The article even makes mention of it...
And because there are so many third-party applications based on Twitter's application program interface (API), tons of avid users are used to throwing their Twitter passwords around left and right. That is, it goes without saying, probably not the safest habit to get into.
Too many of these sites are not paying attention to basic security concepts. A failure to really do things that are obvious like maintaining some form of educational programs for users to help them understand the nature of the "Bad Guys" and how to avoid identity theft are lacking at major sites. If a top CNN anchor can fall for this kind of nonsense, certainly "joe 6 pack" does not have much of a chance. Our job as webmasters is partially to help folks understand how to secure themselves because it goes to our own best interest to keep trust and security online high on our priority lists.
Perhaps sites will learn the benefits of using such basics as encryption keys to help users authenticate themselves. While that may not help in cases where a user's machine has already become a compromised zombie like its owner, for the slightly more alert, it could present a vehicle to idenfity and secure users.
Of course, with "trusted" certificate issuers still working from MD5 algos rather than SHA for their "secure" certs, even core infrastructure companies need to pay better attention. But *that* is a whole other story.
[edited by: JS_Harris at 8:36 pm (utc) on Jan. 5, 2009]