Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Laughing Squid |
| Peruvian Spider Species Creates Decoys »
December 24, 2012
Phishing via Twitter
Interesting firsthand phishing story:
A few nights ago, I got a Twitter direct message (DM) from a friend saying that someone was saying nasty things about me, with a link. The link was a shortened (t.co) link, so it was hard to see exactly what it pointed to. I followed the link on my cell phone, and got to a website that certainly looked legit, and I was foolish enough to login. Pwnd. A few minutes later, my Twitter account was spewing tweetspam about the latest pseudo-scientific weight loss fad.
Posted on December 24, 2012 at 6:31 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It is interesting as we all fall, at least once, in the human factor. I've blogged about this few months ago. If you would be so kind to review my post I would appriciate it.
Humans are very curious, this is clearly a trap. Or am I missing something?:
1) a friend, 2) someone, 3) a website, 4) login...
1) Is this a real friend or just a twitter contact?
2) Never trust a Someone
3) a website which looks legitimate. Which website?
4) Never login on a site if you don't know the people/organisation behind it!
@John Doe, this is the kind of trap that any of its could fall for it if the spammers happened to get it right for us. I've had messages from friends (real friends) and thought "that doesn't sound like something he would say" and been immediately suspicious. But if the spammers send messages "from" enough people, chances are it'll seem legitimate for some of them.
Fell into that one, didn't you? I often find myself victim of my curiosity but I usually open 'suspicious' links on the no-HDD, USB-booted, VM. Even from trsted sources. Love you blog and your books Bruce. Keep it up.
to support the post how many of you clicked the link posted on "my" note? We are curious and we assign weights on everything so soon or later we will fail. That's the human behaviour we can only try be ready to react to our own failure.
Social engineering is a b*tch! At some point, everyone gets taken in at some point. We are human and fallible after all. But it fascinates me how many supposedly intelligent people get taken in so often. I cannot tell you how many senior executives we deal with that got sucked into Nigerian 419 and other painfully obvious scams. I particularly like their justifications for getting taken in as some of them are absolutely hilarious.
Not that things like this don't happen, but I think this is a made up story. I mean, look at the first sentence. If that were true, this guy shouldn't be writing for a technology site.
And like John Doe said, What site was spoofed that this guy already had an account at that had access to send spam through his Twitter account?
Maybe he wants to be famous like the wired reporter who got pwnd. I don't know, maybe he woke up late with a hangover and had five minutes to post an article. There just seems to be a lot of missing details in order to make a case for two-factor authentication.
@Alessandro: "to support the post how many of you clicked the link posted on "my" note? We are curious and we assign weights on everything so soon or later we will fail. That's the human behaviour we can only try be ready to react to our own failure."
Following a link on page is not in itself a risk (unless you happen to run your browser in an unsafe mode). It isn't an exploit/hack/scam/etc; it _is_ what the WWW is _for_.
I didn't follow your link. Not because I'm suspicious, but because it didn't look interesting. You basically said, "I wrote about this once upon a time." You didn't say, "I wrote about a differing take on this which I think is intriguing." But I'll now look at your link to see what your apparent fuss is.
... (visible link appears to match actual link, which something I commonly look at) ...
.... BS warning that does nothing because of my configuration - no risk to me ...
... site added to blacklist because you like to try to scam people ... (An honest attempt to make your point would have been to post the link with a comment to the effect of, "Look at this and tell me if you would have fallen for it.")
So what is your point?
That people follow links? That's a feature, not a bug. If you aren't going to follow links, get off the Web.
That some people run in unsafe mode and fall for stupid tricks? Well... Yeah. Go do a search on Bruce's blog for a post about 411 scams- scammers are apparently running _stupid_ scams as a first-line stupidity bandpass filter since they figure stupid people who'll fall for anything are more likely to give them money/passwords/etc. So why shouldn't they filter out smart/cautious people to start?
That people apparently trust friend who they don't really know very well (c'mon; if one of my real friends sent me a supposedly personalized message through a specific service that warned of something happening on that service and used bit.ly or another abbreviator to link to that service... WARNING! DANGER, WILL ROBINSON!. I also get suspicious when I get emails from family members telling me they went to some foreign country without mentioning it, and got scammed and now need me to send them money via Western Union.
Just exercise the same personal due diligence that you would (I hope) before dropping money in every beggar's styrofoam cup in front of the local liquor store so he can "go buy a hot meal".
weev seems to think that by popping a ss7 stack you can send fake tweets posing as somebody else. I don't trust the twitter sms plugin they cobbled together either Im sure we will start seeing this soon
@Bear I obviously posted a comment on the fact that as many ppl I run in the same "issue". Beside that my comment on "how many of you clicked" was not because of I liek to try to scam ppl but because no matter of what it's "in the link" as humans we are curious..that's it. My post is not neither better or worst than any other post on the argument it's just a point of view and I shared it as it is.. and beside that Merry Xmas all.
I've gotten that same DM more than once. One guy's account sent it 3 times before he found the app that was doing it and revoked permissions.
@Alessandro: Yeah, people are curious. But there's a difference between merely curious and, "Gee, I wonder what'll happen if I stick my appendage in this thing that looks suspiciously like a meat grinder... AAAIIIIGH! But the scammer _told_ me that was a Fleshlight!"
The only point you've established is that some people are idiots. I don't think there's much we can do about that unless you're into involuntary eugenics.
These phishing DMs in various variations have been going round for a very long time. Wouldn't be surprised if they've been around for well over a year.
- is this you in this picture?
- someone's telling nasty things about you
- you are famous now
Slightly surprised that a tech writer still fell for it, I think these were fairly widely reported on the usual suspects (Mashable, Techcrunch etc)
A couple of years, at least.
At first I thought the story confirmed my suspicions that some writers rarely do any reading on the topics they cover. But I also noticed:
- Loukides' expertise is in programming languages, not tech trends or social media;
- The DM was from someone he followed and trusted, so he would've been automatically less cautious.
Even when a message seems obviously suspicious, we'll usually read it carefully if it comes from a trusted source, in case it's a joke or some reason to be concerned for their welfare. Having said all that though, I've reflex-deleted dozens of messages with that particular wording on Twitter/Facebook/email in the past couple of years -- and I'm no tech or social media expert. Always be vigilant.
I'm amazed that nobody seems to have mentioned the actual main mistake here. He apparently entered his password without checking for a secure TLS connection and verifying the spelling of the domain. You can't tell by looking at a login box if it is the real thing because it is trivial for crooks to make EXACT copies of login boxes.
Another big mistake, though it doesn't apply here, is one that almost everyone makes, which is to run massively over-complex web browsers and operating systems. Simple highly secure web browsers are adequate for the vast majority of purposes and so should be the sane default. But so few people realize it that web pages are designed to only work with complex browsers, so it makes it impossible for the few of us who would like to run a very simple browser.
I also think it is just a matter of time before people realize that something like a smart card but with its own keypad and display is the only thing with simple enough code to be reasonably close to reliably secure for authentication and transactions.
Android has an app that allows you to look at the target of a shortened link before opening it. It's possible that Apple and Microsoft do too.
I got a similar DM from someone I knew - and the weird thing is that it seemed to be about something slightly naughty that I was involved in years ago which this guy knew about. But I checked his Twitter stream first and saw it was hacked, so that's all he wrote.
Another thing he did wrong was blithely log in at a site he was sent to via a URL. No, you don't do that. Type in the URL yourself and then log in (although it's a bit tougher to do this on a mobile device with a limited keyboard than it is on a full computer.)
It is a little bit sad that at the end of his article he claims that this makes a case for two-factor authentication when it does nothing of the sort, but at least one of the comments there points this out.
This isn't new -- people have been receiving fake links in their email from "friends" for years. If it's a nonspecific attempt to get you to click on a link, your friends will at least understand if you message them back asking whether it's spam or legit.
Of all of the comments to this post, I think Jeff Hall said it best:
"Social engineering is a b*tch!"
While we’re used to distrusting messages from companies, we aren’t used to distrusting messages from friends.
Seriously ? For most people in the infosec community, that pretty much changed around 2002 when the VBS/Loveletter worm/virus broke out.
That way is very popular on Russian internet, fishers use IM and social networks, like vk.com.
I love the way he falls for a basic abuse of trust that has been on social networks since the dawn of social networks (and this particular form saturating Twitter for years) and turns around and blames the sites for their 'inexcusable' lack of concern about security because they don't implement two factor.
Somebody who can't implement the most basic level of risk analysis is unfit to manage their own two-factor auth. They'll just screw it up and require loads of 'please remind me of my code and my phone number and all my personal details so I can log in' fall-backs, reducing everyone's security.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.