Twitter Mischief Hijacks Reputations
Twitter probably doesn't have your credit card data on file, nor does it hold on to your Social Security number, but recent security breaches highlight just what kind of damage can be inflicted when intruders gain access to user accounts.
01/06/09 3:29 PM PT
The revelation Monday that 33 accounts on the Twitter social networking site had been hacked, while others were compromised by a phishing scam over the weekend, highlights what cyber criminals can do.
Accounts belonging to Britney Spears, Barack Obama and CNN's Rick Sanchez were hacked, using tools normally accessible only to Twitter's technical support team for the purpose of letting locked-out subscribers reset their e-mail addresses.
Twitter locked down the breached accounts and initiated an investigation, and the legitimate owners are now back in charge, according to the company. The support tools have been taken off line.
The 33 breaches were separate from the weekend phishing scam. It involved a coordinated attack in which users received e-mails directing them to a phony Twitter homepage, where scammers could steal their user names and passwords.
A Dangerous Online World
"The significance [of the breached accounts] is that hackers accessed tools that were designed for use by Twitter support staff. Although they targeted high-profile individuals in a way that was quickly obvious, the attack could have been much more subtle and serious," Richard Wang, U.S. SophosLabs manager at Sophos, told TechNewsWorld. "Although the attack highlighted a possible weakness in their security tools, the response from their support team was excellent and contained the issue quickly."
Meanwhile, the phishing attack points to the ability of a hacker to send mass e-mails to unsuspecting users and then possibly gain access to their computer through downloaded malicious software, explained Martha Vazquez, an analyst at Frost & Sullivan.
"Users need to be aware that cybercrime is on the rise, especially during this economic slowdown. Corporate users need to be wary about allowing access to personal e-mails and social networking sites as well," she told TechNewsWorld.
Twitter's systems were potentially exposing all user accounts to the danger of being taken over by hackers, said Graham Cluley, senior technology consultant at Sophos.
Web site owners must ensure that the tools they use to maintain a Web site are just as secure as the tools they make available to users, Wang said.
The profit behind the crime for hackers is access to users' identities, he noted.
"A hacker who is able to Tweet using someone else's identity gains the credibility of that individual and the benefits of any relationship that individual has with the reader. Rather than make outrageous statements or obviously false claims, the hacker could post misleading comments or links to dangerous Web sites. Twitter is another vector for hackers to spread their messages and attempt to trick users who are going about their daily lives, with online fraud often the furthest thing from their minds," Wang explained.
Although phishing attacks on sites such as Twitter may seem to be more of a nuisance than anything else, malware can be installed on a user's computer that directs people to malicious sites and is used to gain their user IDs and passwords, said Frost & Sullivan's Vazquez.
"Users need to be careful about what e-mails they are opening up, even if it is from a trusted source -- and especially if the message is from a social networking site," she noted. "By adding antimalware security, users should be able to tell if a site is trusted or not."
Users need to be aware that in today's society and economic downturn, hackers will do what they can do to try and gain financial information, Vazquez concluded.