Hacked Twitter accounts: silly spammers or cunning con men?

Posted on 26/07/2011


Last week was the first time I’ve felt vulnerable online for ages. I stupidly fell for a phishing attack and found my Twitter account sending out hundreds of messages to friends, followers and utter strangers. Fortunately they were pretty benign (“is this you in this photo?”), followed by a link to a faked Twitter homepage, but it’s been a long while since things went wrong in this way.

Back when I was 15, I fell for another phishing scam with my Hotmail account. Total_gnostic (as I was known) received an email from admin01@hotmail.com, informing me that Hotmail was about to begin removing inactive email accounts. Knowing nothing about web analytics (this was 2002…) and assuming it was authentic, I forwarded my name and password on. By the next Monday my account had been switched to Swedish language, I was receiving buckets of spam email and I’d asked several of my friends out on MSN Messenger. Massive fail.

I can probably excuse myself for that. The world as a whole was still fairly new to the Internet and the term phishing only became mainstream several years later. I was also a naive teenager scared of losing my lifeline to friends: MSN messenger. Along with most people at my school, I spent almost every evening on there talking with friends. It was where we hung out, doing more or less the same things online as we would in person. This was a while before Facebook; MSN felt totally separate from the Internet (you had to download software), and as long as you remembered who you were talking to in each conversation box, there was nothing else to it.

Right now I feel like a tool after having fallen for a similar scam a second time. It was fundamentally the same, but appeared totally different. It also played to my vulnerabilities perfectly:

a)

Attack at dawn. I am not a morning person. If I get a message at 7 am, I’m not about to question it’s authenticity. Not until I’ve had a coffee, anyway.

b)

Find someone you trust. The message appeared from a relatively trusted source (an ad industry organisation called “Now even whiter”). I assumed it was serious.

c)

Using something familiar in an unfamiliar way. The message came via the private message feature. Maybe i’m wrong about this, but if i don’t have something i’m happy to say in public via Twitter then I don’t say it at all. In fact, i don’t know anyone who uses this feature.

d)

Great copy. Phrased in a way that means different things to different people, the message could have worked from any angle. The “is this actually your photo?” that I received, made me wonder if I’d posted one of their images online without attributing it to them. Someone else received “is this you in this photo?” from my account and assumed it was a compromising photo from a night out.

e)

Aware of technology. Link shorteners are handy but they also hide the URL. I had no idea what i was clicking through to, but then again I never do on Twitter. I’d always taken it for granted. On top of this, mobile phones don’t immediately display the URL at the top of the page and when the Twitter homepage (or so I thought) appeared, I stupidly just entered my login details.

I don’t think the people behind this attach are geniuses and I wasn’t a totally unsuspecting victim. I should have known better than to follow-up a weird message like that, and I definitely shouldn’t have entered my details into the page (my mobile browser already knows my password). Once again, the main reason I ignored all this is that these are all relatively new technologies. My phone can be a bit flaky with its settings and I’m just too trusting of online technology. There are so many positive things about the net and social media, but I’ve experience first hand what happens when it goes wrong. Unfamiliar is still good but in future I’ll proceed with more caution.

Having had to reset my passwords and account permissions, I will at least make sure I don’t fall for the same scam a third time. Fool me once shame on you, fool me three times…?

NB. If this ever does happen to you, here’s Twitter’s advice:

  1.  Change your password. If you use the same password across multiple accounts change those too.
  2. Check your account settings. Are there any unfamiliar applications with permission to access your account? remove these, or if you’re unsure remove them all.
  3. Contact Twitter to notify them.
Advertisements