January 6th, 2009
The inevitable rise (and fall?) of 'twishing'
The phishing or “twishing” situation happening with Twitter is merely the tip of the iceberg. Rather than dig into the situation myself — including the OAuth debate — I’ve turned it over to one of my more technical-brained friends. Damon Cortesi is a security consultant who has also authored a multitude of Twitter tools, including the popular TweetStats and DM Whacker. Read below for his good perspective on the progression of phishing and Twitter’s security challenges.
Guest editorial by Damon Cortesi
The social network Twitter was the unfortunate target of some pretty heavy phishing this past weekend. Sadly, this is most definitely not a new concept. Phishing and spam frequently go hand-in-hand and the first major commercial Internet spam is often cited as occuring in 1994.
What’s also not new is the progression that this will take. Time and time again, we have seen this trend repeat itself in various facets of the Internet.
We’ll start with the simple example: email
Email phishing attempts were originally very obvious and had frequent evidence that indicated a definite lack of legitimacy - spelling errors, incomplete sentences, incoherence, etc. Fast forward to today and I receive emails that are exact copies of legitimate marketing emails sent out by banks and other agencies. The only differences are that the link behind the text points to a different URL, and the email originated from a source not owned by the purported company. I’ve often seen these and had to think twice before I realized I didn’t even have an account at that institution. The majority of these emails are targeted at financial gain by obtaining banking credentials or personally identifiable information.
Now let’s take a look at social networks
With the advent of such a large and diverse population on the Internet, social networks have risen tremendously in the past few years. Facebook, for example, has over 140 million active users. MySpace doesn’t publish its statistics, but according to compete.com, both sites had approximately 50 million unique visitors in November, 2008. With that many users in one place, it is a target rich for phishing.
Both MySpace and Facebook have dealt with various forms of spam and phishing attacks. The gold-mine (for scammers) is that these networks facilitate instant communication and proliferation of scams.
There is also a progression here as these networks have grown. Step 1 is that early attacks on MySpace and Facebook may have been fairly rudimentary and email-based. Which takes us to Step 2. Once the attackers realized how the social networks functioned, however, we saw attacks in early 2008 taking advantage of Facebook wall posts.
This is a highly effective method as it takes advantage of false sense of security these networks provide. It requires more development from the attackers, but given a network of 140 million active users in any given month…that’s definitely worth it.
Next: Twitter’s security challenge –>
Pages: 1 2
Jennifer Leggio, aka "Mediaphyter," writes about the "social business" side of social media - including enterprise, security and reputation issues. See her full profile and disclosure of her industry affiliations.
For daily updates on Jennifer's activities, follow her on Twitter.
Subscribe to Social Business via Email alerts or RSS.
