A few months ago, I wrote a post about the local media's use of social media and what they were doing right and wrong. I'd like to think that six months later, they have figured things out, however, I'm not so sure.
On Monday, Andy Palumbo blogged about nearly pulling the plug on his Twitter account because of a virus/phishing attempt circulating through Direct Message. Several people that I follow on Twitter in the local media have "received" this virus and it started spreading like wild fire. I got two of the messages myself:
Did I click on them? Um. No. Although, I'm sure plenty of people say nasty things about me online.
Here's the thing about viruses. They don't spread unless someone clicks the link or opens the file, or runs an executable, etc. If you don't do these things, the virus doesn't spread. The problem with Twitter is that it uses a lot of shortened URLs to save space in Tweets making it hard to tell if a link is legitimate or not. I have a solution to this: URL Void – http://www.urlvoid.com. You can put any link into box on the website and it will scan the URL to let you know whether or not the site is safe to navigate to. If those who were "hacked" on Twitter took a few extra seconds to practice safe hex by plugging in the URL in question from these direct messages, they would see that the website was an exploit.
Deleting your Twitter account because it has the potential to be "hacked" is just silly. And let's be clear. These accounts were not "hacked", the user clicked on the URL that they received in a direct message, this is how this type of VIRUS spreads. There is a big difference between being "hacked" and receiving a virus. I get viruses and spam sent to all seven of my email accounts every day, but am I going to delete my email account? No. Am I going to get rid of my Internet access because there's a potential that someone unauthorized may try to use my Wifi network? No (because we have MAC address security enabled, layer 2 FTMFW).
You just have to be smart about how you use the Internet, practice safe hex, as I like to call it. A few years ago, when I was more active into Newsgroups, I followed one called alt.comp.virus and one of the posters wrote up an entire article about what "Safe Hex" means right here: http://www.claymania.com/safe-hex.html. The article is several years old, but a lot of the same theories still apply. I think in this instance, tip #4 is very applicable:
4. Be cautious when reading email with attachments and downloading files
You should never, ever (and we really mean it!) do the following:
Never open email attachments from someone you don't know
Never open email attachments forwarded to you even if they're from someone you know
Never open unsolicited or unexpected e-mail attachments until you've confirmed the sender actually meant to send them. If you know the sender and you are absolutely sure they intentionally sent the attachment, then scan it with an up-to-date virus scanner before opening it.
Never pay attention to virus warnings or even forward them unless you subscribe to a serious virus newsletter.
Never obtain software from "warez" sites or peer-to-peer programs like Kazaa. Get it from known, trusted sources only.
Additionally, it is wise to consider configuring your email program to display messages as "text only" and not "HTML". HTML can easily include malicious scripting (which may "do something" unwanted automatically), malicious links (usually obfuscated and too easy to click) and other unwanted junk. Keep in mind that if you send HTML email, many anti-spam solutions may aggressively target HTML formatted email as SPAM.
If you replace "email attachments" with "Twitter Direct Messages" or "Shortened URLs" it is the same advice I'd recommend to anyone using Social Media these days.
Here's a few other tips I can share with you:
- Phishers usually tend to be bad spellers and/or bad at punctuation and grammar. That's the first way I can spot a phishing attempt at 20 paces (whether it be by email or social media platform)
- Email addresses that the phishing message comes from is usually fake, or non-existent on the domain. On Twitter, the account is usually created only to spread these viruses. They may have no actual tweets with a ton of followers, they may have a bogus picture and URL in their profile information. If it looks too good to be true (i.e. She's a supermodel stripper wanting to send you XXXXX pictures) then it probably is.
- Hovering over the link in your email client and checking your status bar will let you know if the URL is legit. Example. I can make a link say www.ebay.com but then have it redirect to a fake site using HTML. This however, does not work on Twitter if the URL is shortened, you will need to use a link checker such as URL Void (mentioned above).
- DO NOT USE THE SAME PASSWORD ON ANY ACCOUNT FOR ANY REASON EVER! You are just asking for trouble if you do.
And now I will share with you a story….(names changed to protect the stupid)
A “Network Engineer” I know was victimized by one of these phishing emails and actually had his bank account compromised. Here’s what happened: someone had sent him an email stating to be from ICQ and that he needed to confirm his email/password on his account so that his account wouldn’t be deleted. He did exactly what the email asked of him. (WRONG! BAD! NO!!) Nothing happened for months, then all of the sudden after a deposit was made into his personal checking account, the thief decided to make a move. At the time, the engineer was using the same password for his E-mail, ICQ, and Bank. The phisher knew about the deposit via email, knew what bank he used and knew the password. He was able to transfer the money elsewhere thereby stealing it and leaving the checking account penniless. The bank fraud department had to get involved and was able to see the unauthorized transactions. They had to close out the account and reimburse for the fraudulent activities. Long story short…if a Network Engineer can be fooled by one of these emails, ANYONE CAN (except me of course….KIDDING).
The bottom line is this: As long as hackers/spammers and phishers see an opportunity to make a dime off of someone else or get a sick thrill off of ruining someone's online reputation, it's not going to stop. Security threats are not going away anytime soon, they are going to keep growing exponentially and Internet users (business and home) really need to stay educated in order to protect themselves and their assets online.