Over the last couple of days Twitter users have been targeted by a phishing attack. This attack is similar to the email attacks that tempt users to access a URL with intriguing questions like ‘This you??’, but instead of trying to get you to download dodgy programs onto your computer, the Twitter attach attempts to get you to provide the compromised website with your Twitter username and password by faking the usual. This great explanation from mashable includes a video from UK security company Sophos.
What isn’t all that clear is what the benefit is for the hijackers. Unlike an email phishing attack, they are not taking over your PC in order to use it in a denial of service attack, or in order to steal your credit card details. They merely get to speak on your behalf. It doesn’t take too long for your twitter followers to notice that the tone and content of your tweets has changed and that it’s probably not actually you tweeting. So why would they want to send out a lot of inappropriate messages to people? I guess spammers have their own justifications.
The thing that did become clear is that we are still a long way from everyone understanding how to manage their own security. None of the people caught out by this phishing attack noticed that the faked twitter login was not on a twitter.com domain and was not using https. This is not their fault, we have reduced the visibility of these things – when was the last time you noticed the https padlock in your browser’s status bar and even our financial institutions sometimes inadvertently encourage us to provide sensitive information to sites with domains we don’t know.
On top of this users really don’t understand the control they have over access even when it is given to them. The additional security provided by Twitter OAuth, which lets you give permission to other applications to post on your behalf, becomes a security risk when people don’t realise that this control must be managed and monitored. This great post from Terrence Eden explains more.
