The Blog of Ross C Brown

This week, another wave of phishing attacks has hit users of popular social networking, and micorblogging weisite, Twitter. Cyber criminals have duped users, celebrities and organizations using Twitter into revealing their log in credentials. Said credentials were then used to spam and dupe more users of Twitter. While there is nothing new about this type of attack, what is particularly worrying is the extent of this particular attack and the media portrayal of the ‘scammers’ and ‘victims’.

The attack has compromised the Twitter accounts of many high profile users including accounts of Members of Parliament, organizations such as the Press Complaints Commission and even the Twitter account of a retail bank.

The media are portraying all these users as victims of ‘hacking attempts’ and I don’t think that is entirely accurate.  In each and every case, the account owner handed over to the attacker the username and password to the account.  There was no brute force password attack here, it was simply a confidence trick.

While it is regrettable that these accounts have been compromised; I feel that the account owners are not entirely blameless.  Over the last few years, as an internet user and an internet banking customer, I have been lectured time and time again about the importance of throughly checking websites before entering my user credentials and logging in.  It is something I do instintivly now.  But it seems apparent that this message is not filtering down to everyone.

Perhaps the perception of risk in the eyes of regular users is different for social media websites. These sites are used for entertainment and communication.  Money infrequently changes hands and sensitive personal information is rarely required to use them.  On the face if it, the risks look low.

However numerous studies have shown that internet users reuse the same login credentials for many of the websites they frequent. As such, in inadvertently revealing your Twitter credentials, an you are most likely compromising your email account security.  And once an attacker has access to your email account, they pretty much have access to your entire web life.

The most surprising account to be compromised was that of First Direct bank, especially as their own website contains a page dedicated to staying safe online! While end users might not know any better, organizations that have made the decision to be active on Twitter should!  Apologizing simply isin’t good enough, the account should never have been compromised in the first place. This is something that needs to be addressed in company social media engagement polices.

As for regular  users, staying safe online is simple:

• If you don’t know what it is, don’t click it!
• Use a different password for each website you use
• If you receive an email message with a generic salutation like “Dear user”, don’t trust it.  The organization emailing you (your bank, for example) should know your name and use it!
• If you receive an email message asking you to log into a website, type the website’s URL into your browser – don’t use the link in the email.
• Check the address bar before loggin in to a website.  Check that you’re actually on the website you think you are and, where appropriate, check for a secure browser connection.