Twitter Security: Tweetie Pie Panic

[Update info moved to new blog post on 6th January]

In deference to all those old enough to get a panic attack when reminded of how bad pop music was capable of being in the 1970s, I’ll try to overcome by the urge to mention "Chirpy Chirpy Tweet Tweet".

Anyway, to business. Having all the blogs I can handle already, I’ve avoided the Twitter microblogging tool so far, but my curiosity has been piqued over the past few days by references to Twitter phishing. Inevitably, the issue has become higher profile because of the confession by Stephen Fry (the UK actor/writer/presenter etc. recently seen criss-crossing the USA in, for some reason that escaped me, a London taxi) that he responded to a phish by clicking on a link sent to him in a DM (Direct Mail).

" Lawks. Hope I haven’t been phished for all my details. Clicked on scam URL last night before I knew what it was. Eeek. x"

So does this tell us anything really useful?

It certainly tells us that even celebrities-with-a-brain can be duped by social engineering. Actually, quite basic social engineering. The scams in question have, so far, been along the lines of:

  • "Hey, look at this funny blog"
  • "Click here to win an iPhone

(I’m desperately trying to avoid making any uncalled for comment about Jeremy Clarkson and celebrity brain power here. )

Meanwhile, back at the plot… This sort of "click here" social engineering is something most of us are inured to after many years of seeing similar stings in email, IM etc. In fact I specifically mentioned it a couple of days ago here. But context is important. If it wasn’t for the fact that many legitimate organizations are so careless about sending out messages that are barely distinguishable from phish messages, the phish problem would be much less significant. Besides, anyone might drop their guard from time to time.

Michael Miller, in a recent book called "Is it Safe?" (not a bad book at all, by the way, as far as I can see from a quick skim: I’ll come back to that in a future blog, maybe) includes a note about how he was fooled by an eBay "fake question" phish. In fact, at the very beginning of the phish explosion, I too nearly logged in to a fake eBay site: like Miller, I’m a natural sceptic (paranoid, even), but it so happened that it took the form of a query about my account and it arrived within hours of my actually opening an eBay account, so the timing was perfect. Fortunately, the fact that it wasn’t in any way personalized tipped me off that it was a fake before I clicked on anything. Twitter has been regarded by its users as a "safe" context, up to now, though of course that simply means that it took the bad guys a while to see its potential.

What potential would that be, you may ask? Frankly, the sky is probably the limit, long term. In the short term, though, there are a couple of immediate possibilities, apart from fairly trivial testing-the-water or teen-hacker doing-it-because-I-can motives.

  • Many people re-use passwords: stealing the password for one fairly trivial account may result in serious exposure elsewhere
  • Stealing access from a celebrity account immediately ups the social engineering potential.

There are definite positives, though, in this event, and this is the one that I found most inspiring. All too often, an organization will react to a security problem with knee-jerk denial or complete silence. Twitter, however, responded with a useful blog, They also, apparently, reported the fake web page and a similar fake Facebook page. It’s always encouraging to find a provider taking some responsibility for abuse of their service rather than blaming the security industry for the fact that we don’t detect all known and unknown puddy cats.

Thanks to Sara for nudging me into looking into this, and also to Graham Cluley and Jack Schofield for their very useful blog posts on the same issue. And now, for the information of those millions of people who are waiting to follow my every movement on Twitter… no, let’s not go there.



Author David Harley, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.