Over the weekend, Twitter users found themselves the unwelcome recipients of several phishing attacks. Then, on Monday, several high profile celebrity accounts were hacked and embarassing messages sent to their followers. Celebrities like Britney Spears, Rick Sanchez of CNN, even President-elect Barack Obama.
At Symantec, we were monitoring the situation from the very first suspicious message on Twitter. We saw well-known people admit falling for the phish - even celebrities like comedian Stephen Fry. We got a blog entry up on Sunday to outline the basics of the phishing attacks. (Also included is a basic description of what Twitter is, if you're new to the service.) Net/net? Watch out for invitations to click a link wherever they appear and never share your login credentials such as account name and password anywhere but the official website.
The learning from the hack job at Twitter was that they, like most corporations, are vulnerable in some way or another if internal users can't be trusted. (There is still a possibility it was an outside hacking job). This is their opportunity to review their security practices and to tell us, publicly, how those practices are being hardened as a result of this experience. If not, they risk the loss of trust that will kill their brand, just as they are about to cross that ol' chasm and hit the mainstream user.
We users have also been reminded how accustomed we are to trusting web url shortening services like www.tinyurl.com which is included in Twitter. You can't preview where you will be linked to (unless you manually select the preview option on the tinyurl.com site before you send your "tweet"). Although previewing a url is NOT a recommended practice for avoiding phishing scams, it is one of the things people do for reassurance. We will need to see that change and quickly for trust to be retained in using those services and for people to ever trust links in Twitter feeds. (Why do people include links? I might send a "tweet" message to those who follow me on Twitter so they know I have a new blog entry. And I include the url link. With a limit of 140 characters in the message, I HAVE to use a url shortening service for it to work.)
So what do these hacks and phishing attacks have to do with Bernie Madoff, the Ponzi scheme king who defrauded investors of billions? When we rely upon the intimacy of social networks to make important decisions without continuing to practice the recommended due diligence appropriate for the endeavor, we are vulnerable. Bernie was an apparent sweetheart and charming fellow who allowed others to promote the exclusivity of the investments, the limited time frame to "get in on it" and they always insisted on limiting the players to a select group, and people fell for it. They forgot the basics of investing, of asking for records of past performance, to ask to understand the investing philosophy, etc. Bottom line: they trusted the friends and family approach that was offered and neglected their own security.
Almost every social networking site has had cybercriminals use their trusted environments to stage their scams and phishing attacks. Twitter's experience this past week doesn't mean they are untrustworthy as a service. It doesn't mean people will stop using them, as bloggers began claiming on Sunday. It means that any place, real or virtual, where people gather together in a social way, can be dangerous and we all need to remain vigilant wherever we go.