Tuesday, January 6, 2009

Twitter Outwitted


First there was Facebook, and now Twitter users have been lured into a phishing  scheme causing some users to give up their Twitter username and password to a site "masquerading" as Twitter.com.  (this is  what easily could have happened to CheckFree users instead of them being brought to a blank page...and what will happen more and more in the not so distant future.  This may be a drill, to test the waters.   I predict it will happen frequently in 2009 and I predict there will be a post on the subject tomorrow morning...adorned  with the same graphic that's on the laptop on the right...

The phishing links arrived as direct messages, usually saying something like “hey! check out this funny blog about you….” If you clicked on the provided link your browser was redirected to the URL twitter.access-logins.com, which looks just like the main Twitter login page, but steals your credentials. 

With a main domain name of access-logins, this phishing scheme is not what you’d call subtle, but if you’re worried you might have been duped, the Twitter blog suggests changing your Twitter password. It appears that all the scammers did with the captured login info is send more direct messages, furthering the scam. If you’ve been suckered, Twitter will reset your password for you.

While Twitter did a good job of containing the problem, the suggestion that you not give out your “secret info” is bit ironic since that’s the only way you can access Twitter through third-party sites and apps.

News of the attack led many a savvy Twitter user to gripe about the service’s lack of OAuth support, but, while OAuth would allow third party sites to access your Twitter account without giving up your password, it wouldn’t completely stop phishing attacks.

But OAuth would have one huge benefit that could lessen phishing attacks on Twitter: it would get users out of the habit of giving their Twitter username/password to any cool new site that pops up without thinking about the potential side effects — like the fact that you just gave an unknown party complete access to your account...

Read more at wired.com


Reblog this post [with Zemanta]

Disqus for ePayment News