Over the weekend, Twitter users found themselves the unwelcome
recipients of several phishing attacks. Then, on Monday, several high
profile celebrity accounts were hacked and embarassing messages sent to
their followers. Celebrities like Britney Spears, Rick Sanchez of CNN,
even President-elect Barack Obama.
At Symantec, we were
monitoring the situation from the very first suspicious message on
Twitter. We saw well-known people admit falling for the phish - even
celebrities like comedian Stephen Fry. We got a blog entry
up on Sunday to outline the basics of the phishing attacks. (Also
included is a basic description of what Twitter is, if you're new to
the service.) Net/net? Watch out for invitations to click a link
wherever they appear and never share your login credentials such as
account name and password anywhere but the official website.
The learning from the hack job at Twitter
was that they, like most corporations, are vulnerable in some way or
another if internal users can't be trusted. (There is still a possibility it was an outside hacking job). This is their opportunity to review their
security practices and to tell us, publicly, how those practices are
being hardened as a result of this experience. If not, they risk the
loss of trust that will kill their brand, just as they are about to
cross that ol' chasm and hit the mainstream user.
users have also been reminded how accustomed we are to trusting web url
shortening services like www.tinyurl.com which is included in Twitter.
You can't preview where you will be linked to (unless you manually select the preview option on the tinyurl.com site before you send your "tweet"). Although previewing a
url is NOT a recommended practice for avoiding phishing scams, it is
one of the things people do for reassurance. We will need to see that
change and quickly for trust to be retained in using those services and
for people to ever trust links in Twitter feeds. (Why do people include
links? I might send a "tweet" message to those who follow me on Twitter
so they know I have a new blog entry. And I include the url link. With
a limit of 140 characters in the message, I HAVE to use a url
shortening service for it to work.)
So what do these
hacks and phishing attacks have to do with Bernie Madoff, the Ponzi
scheme king who defrauded investors of billions? When we rely upon the
intimacy of social networks to make important decisions without
continuing to practice the recommended due diligence appropriate for
the endeavor, we are vulnerable. Bernie was an apparent sweetheart and
charming fellow who allowed others to promote the exclusivity of the
investments, the limited time frame to "get in on it" and they always
insisted on limiting the players to a select group, and people fell for it.
They forgot the basics of investing, of asking for records of past
performance, to ask to understand the investing philosophy, etc. Bottom
line: they trusted the friends and family approach that was offered and
neglected their own security.
Almost every social networking site has had cybercriminals use their
trusted environments to stage their scams and phishing attacks.
Twitter's experience this past week doesn't mean they are untrustworthy
as a service. It doesn't mean people will stop using them, as bloggers
began claiming on Sunday. It means that any place, real or virtual,
where people gather together in a social way, can be dangerous and we all
need to remain vigilant wherever we go.
Message Edited by marianmerritt on 01-07-2009 12:19 PM
Message Edited by marianmerritt on 01-07-2009 01:21 PM
Message Edited by marianmerritt on 01-07-2009 01:38 PM