Phishing has long been the bane of the e-mail world. Sadly, phishing has also made its way onto Twitter.
One of the biggest problems seems to be the flurry of Twitter-related services in which you have to provide your username and password to gain access. Unfortunately, many phishers are reeling in big catches as people happily provide their personal information.
Over the weekend, a phishing attack hit Twitter in which people received direct messages with text: “hey! check out this funny blog about you…” After you clicked on a Blogspot.com link, it took you to a page that looked like the Twitter login page. Instead, it was a site – twitter.access-logins.com – that collected your user name and password information.
The proliferation of phishing attacks is yet another example of how Twitter needs to be far more pro-active in serving its growing legion of users. Rather than having people submit user names and passwords on Twitter-related services, Twitter should be actively support initiatives such as OpenID and OAuth.
This would give people a way to access services in a secure way rather than consistently exposing themselves and their personal information to phishing attacks.
Twitter has been aggressive recently in cracking down on fake Twitter accounts; it now has to turn its full attention to phishing.
Technorati Tags: phishing, twitter
One Comment
To be fair, Twitter is implementing OAuth in the next release of the API. But OpenID and OAuth won't address phishing vulnerabilities.
What it will do is make is less likely that a trusted connection—which is what a direct message implies—is used to increase the likelihood of a phishing link being clicked and then completed. There are a number of signs of phishers that general education would help. In fact, Indiana University is using cartoons as a medium for that education (http://www.securitycartoon.com/).