140Char

Over the last week, many people have fallen foul of the latest phishing scam to do the rounds of Twitter. And an unusual number of high profile individuals have been included in the list of users affected, including the Press Complaints Commission, BBC correspondent Nick Higham, the Guardian’s Head of Audio Matt Wells, bank First Direct, and environment minister Ed Milliband.

Environment Minister Ed Milliband caught by phishing scam

Phishing scams have long been endured by most internet users – the traditional mechanism has been via email, but as social networks have becoming hugely popular, they’ve become the vector of choice. And Twitter is particularly attractive as the speed with which messages can spread is combined with the use of short urls, which help to mask the malevolence of the message.

While this is just another example of the huge amount of phishing attempts which exist, the higher profile of these attacks as they affect prominent politicians will hopefully lead to a better awareness and response by governments.

It’s probably a forlorn hope, but for example, here are some things which might change:

• More education about phishing and spam to the ‘general public’ – how about a public awareness campaign?
• More understanding about how normal users can have accounts compromised very easily – for instance, with ‘Three Strikes Rules’.
• More people using offline backups of any content that is valuable or useful to them
• More of a move towards data privacy, and Vendor Relationship Management, to allow users to only share the information they choose with any service provider under strict controls.
• A rethink of the UK Identity Card scheme which includes private businesses taking fingerprint and photos.

Importantly, it should place the risks of Social Engineering alongside those of teenage cyberwarfare specialists taking down defence satellites from their bedroom. If a private company was, for example, storing fingerprint data, you wouldn’t need to target their infrastructure (Although I’m not sure most chemists have a particularly high level of internet security) – you’d use social engineering on their employees via Facebook, Twitter, or offline in person to gain information and access.

Of course, technology can play a part, and I’m sure Twitter will increase their response to phishers in future, particularly as a high profile attack via any platform is never good for PR. But any measures will always be part of a never-ending arms race, and only when every individual is educated enough will there be any noticeable difference…

Twitter has become one of the prime targets for phishing and spam attacks, due to both it’s huge growth in user numbers, but also the each with which messages can spread (partly due to the inherent weakness in using short urls).

The latest example is the BZPharma ‘LOL this is funny’ attack, as detailed by security firm Sophos. Messages include ‘Lol. this is me??’, ‘lol , this is funny’ and ‘Lol. this you??’, and include a link which looks like ‘http://example.com/?rid=http://twitter.verify.bzpharma.net/login’ –

with the example.com element varying between a number of addresses.

There’s a handy Youtube video with details of the problem. Links are appearing in both private Direct Messages, and in public feeds – plus some third party services allow DMs to be made public, sharing the phishing attack more widely.

Click on the dodgy link and you’ll go to a fake Twitter login page, which replicates the Fail Whale when you attempt to login, and then redirects you back to the real Twitter page to make you believe your account hasn’t been hit. The same technique is also being used to phish Bebo accounts.

And after the first wave of attacks compromised accounts, there’s now a wave of spam selling herbal viagra, with messages including “Get bigger and have sex longer. go here”

So besides double-checking you’re on the real Twitter site before logging in, keep an eye on your sent messages for any clue your account has been compromised, and also watch out for messages being sent by even trusted friends.

You can also take a look at the full Sophos update on the attack.

Twitter has been hit by the first major effort to ‘phish‘ account details and spam users with links to a fake login page by Direct Messages from comprimised accounts.

The Twitter team has responded with a warning on the main web access page, and a warning on the Twitter blog. You can see the uproar it’s causing on Twitter via Twitter Search.

Currently the DMs are enticing people with:

• Here’s a funny blog about you
• Your picture is on this blog
• You’ve won a free iphone

Luckily the phishers are at least sticking to the grand tradition of email spamming by either trying to entice you with a blatantly ‘too good to be true’ offer, or something personal with the link to a fake Twitter log-in page displayed in full, so hopefully the word has spread to most people.

However, this is likely to be just the start. As Pete Cashmore pointed out at Mashable, this is a sign Twitter has reached a big enough size to be a viable target for scams – a positive sign for Twitter’s growth perhaps, but also a sign that the scammers and spammers are coming, with pretty big implications for Twitter users.

Shortened urls:

For starters, we were all lucky in some ways that the bloggers obviously aren’t familiar with Twitter culture, and were displaying the full url of the fake website, meaning that even if the DM came from someone we absolutely trusted, we had a warning before clicking.

But given that the character limit of Twitter means that shortened urls are the norm, it will make it almost impossible to detect whether a link is likely to be fake before at least visiting it – meaning an urgent need for preview functionality of shortened urls at the bare minimum.

Warning systems:

A lot of Twitter users picked up on the scam emails via friends, and stayed up to date with information via the #phishing hash tag etc – Twitter responded promptly with a warning on the website and blog. But what about the many, many people using a client to access Twitter and their Direct Messages? And those using mobiles to access the service?

Will everyone get a warning via each client and application? Unlikely at the moment, unless there is a type of ‘emergency signal’ which could be broadcast across all clients and apps.

Verified App Store:

Which brings me to the next possible implication – a few people have suggested that the fake log in page is in fact working as a Twitter application to utilise the stolen accounts and passwords.

It’s long been a matter of contention for users and app developers that any 3rd party application which requires a certain level of functionality has to ask for usernames and passwords – but now the 3rd party developers could be hit by a huge loss of trust from users.

So could this be an opportunity for a verified and approved Twitter application resource? Possibly monetised by charging a fee for consumers (unlikely), or for developers to have their application tested and approved (more likely)?

This could have implications for the speed and amount of Twitter applications and clients being produced, and also move such development away from bedroom coders depending on the fees for such services.

It certainly means that there could be a move for more users to utilise more than one Twitter account to allow them to test applications and clients etc without comprimising their main account.

So what other implications do you think the arrival of large scale phishing attacks could have on Twitter – and what suggestions do you have for other Tweeple – and Twitter itself, to try to minimise the damage of future attacks?