Sunday, October 20, 2013

Hi! I Recommend This Site, Twitter!

I recently had a few emails pop into my inbox from Twitter; notifications from my Mom direct messaging me. That in itself was strange since she rarely uses Twitter.

The message consisted solely of, "Hi! I recommend this site <link>"

Of course that had an actual link embedded.

My first thought was that malware was hijacking her system or my parents had given permission to a third-party website or application to post to Twitter on their behalf. She's using a Macintosh, so while it is less common, it is still possible her system had malware hiding on it.

I emailed instructions to check and revoke third-party application access to my parent's Twitter account;

  1. Log into Twitter.com
  2. Click the gear icon in the upper right corner
  3. Click "settings" from the menu
  4. Click "Apps" from the left-hand menu list
  5. Review the applications and revoke access from anything you don't recognize
She emailed back that she followed the directions and nothing was listed. That sounded plausible given that she rarely used Twitter in the first place.

I verified with her that she had antivirus running (she did) and told her to run a check on her system.

A few hours later another Twitter DM appeared. "I advise to visit the link <link>"

This was followed by another link a few hours after that, the text of which more closely resembled the first message. It was at this point that it occurred to me my reflex was to assume the system was compromised; I had grown up in a computing period where the home computer ran applications, not "the cloud."

It appears that we've given up control of many of our services and accounts; we trust companies to keep our information safe. This was an example of when this trust goes awry.

The messages must have been originating from someone logged into the account from an unauthorized location; I emailed my parents and told them they needed to change the password on their Twitter account. I got an email back a relatively short time later that they were going to change it, and I haven't had another DM from their Twitter account.

I started searching around the Internet. Surely, if this is a spammer attack of significant size there must be some mention on the Internet about it, right? Maybe Twitter is even doing some work to isolate and block the spammers?

The results were disappointing. I found little, if anything, to go on. I actually found only one article that directly addressed the wave of spammer DM's and advised changing your password as a post-discovery fix.

Another article made mention in passing of this particular spammer attack, but primarily made reference that Twitter had changed something preventing DM's from using links to non-authorized URLS. The article went on to say that the URL blocks were actually acknowledged by Twitter to be a bug. Even so, the spammers were working around it by linking to other tweets (apparently that was working for them.)

Indeed, monitoring a search for the phrase "I recommend to visit the link" on Twitter didn't take long to surpass 1,000 found instances. 

Seeing as the popularity of the Twitter platform isn't about to go away soon, it would be nice if they had more options in place to protect your account. I tried searching for 2-factor authentication, a feature I use on Google already and while it can be annoying, it definitely adds a layer of security that not only keeps others from breaking into the account but also notifies you when someone attempts to break into the account. When I try to access my GMail account (or other Google service) from a computer or application not already authorized for access, Google sends a verification code to my phone. I must enter that code within a certain period of time or the token expires.

Twitter kind of hides this feature. Once you log in and click on the gear, then settings, click on Security and Privacy. From there, select "Send login verification requests to <phone number>". They already had my phone number entered from another setting change I had entered so I would assume that if you never set it up before it will ask you to enter the phone number. In my case it simply sent a text message to my phone saying that it could send messages to that number and the website asked me to click yes or no as to whether the message arrived (why didn't it send a verification code? I don't know...) before asking me to re-enter my password to verify that I wanted to make this change.

I know 2-factor can seem like a pain; I myself was hesitant to use it until I was pushed by policy implemented at work. But once it was in place we began to get reports of people having attempted break-ins on their accounts; these attempts would not have been known if it weren't for 2-factor being implemented, or at least not known until the damage was already done. It was then that I started using it on my personal accounts.

In this age of outsourcing the storage of personal information to social media I've come to see that it is imperative we take measures to protect our online identities. That includes the use of the annoying but useful 2-factor authentication.


No comments:

Post a Comment