« December 2008 | Main | February 2009 »
Lately I seem to be posting notices about hacks and identity theft - like Monday's Monster.com news. Today's entry has a happier note - I'm proud to welcome Name.com to the VIP Network. Check out the press release and some of the reaction in the blogosphere.
It seems like every day there's another headline about a major site being hacked with stolen usernames and passwords. Today it's Monster.com, which has compromised the passwords and personal details of thousands of recruiters and job seekers.
How many more of these breaches will it take for people to realize that just plain passwords aren't good enough?
I always find it interesting the way old scams are redressed for new and emerging channels.
That was the case during the last few days when Twitter users and employees found themselves under attack by phishers and hackers: follow these links to find a good account of the former and the latter.
Today I'll talk about the phishing attack, which consisted in luring people to give away their twitter passwords to a fake site, the novel aspect is that it used twitter-generated messages (Direct Messages) to propagate to your list of contacts (Followers).
This is all pretty similar to what we have seen with phishing via e-mail, but with two key differences:
- The first one is that e-mail phishing is a "mature product" where phishers are one cog in the big underground economy of stolen bank/e-commerce passwords and credit card numbers, whereas this twitter phishing looked like a "prototype". The good news is that apparently no big harm was done and the Twitter team reacted quickly to reset accounts. The bad news is that the twitter phishing prototype worked, and the bad guys will come up with ideas on how to use it more effectively.
- The second aspect, which I find more disturbing, is that the Twitter media is more time-sensitive than e-mail, capable of reaching a lot of people in very little time. That is why I think there is potential for much greater damage if you combine twitter phishing with events with intensive twitter coverage such as the Mumbai attacks.
A short-term measure that Tweeter could take to beef up its defenses would be to upgrade their SSL certificate to an EV cert and tell their users to check the green bar when they login.
In the meantime, my twitter guru Bob Angus tells me that some of the buzz in the twittershpere is that these attacks confirm Twitter's arrival as a relevant media.
These past attacks seem to confirm that at least the bad guys seem to agree with that.
|
