Print | Send on Yahoo! | PDF version | RSS | Filed Under: ALERTS

Will Twitter's Business Tools Be Safe and Secure?

Lightweight analytics and commercial accounts directory for users… phishers, hackers and rogue

Twitter co-founder, Biz Stone, announced earlier this month at the Technology Summit in New York that his company is currently focusing on introducing several features for commercial use, such as analytics and a directory of commercial accounts that would verify that businesses on Twitter are legitimate.

The main question that Twitter aficionados and potential users of these tools must ask themselves in the first place should concern the capacity of micro blogging platform to deliver safe and secure applications, especially since stats and data that could affect business are to be involved.

The avalanche of breaches and attacks - ranging from cross-site scripting vulnerabilities to worms attacks - was augmented last weeks with several interesting approaches. They could be devastating in case of business information is leaking from the compromised accounts.

It is worth to mention that the latest miscreants' endeavors concentrated particularly on stealing log in credentials, as well as other data that could facilitate their access to Twitter and similar platforms, such as e-mail, blogging or e-commerce accounts. Gaining such access translates into a wide range of e-crime opportunities, from further spam and phishing attempts (employing the list of followers/friends/contacts) to identity and commercial data theft or blackmail and extortion.

Most of these phishing attempts relied on social engineering schemes and speculated the user's naïveté. The Twitter Porn Name scam is a good example. Users are invited to reveal their first pet name, as well as the first street they live. These names are usually employed as backup/security questions for the previously mentioned applications. An e-crook possessing one's username and these "clues" can easily retrieve a "forgotten" password that he or she can later employ to access the account and send spam, access transactions or make whatever profit (including demanding a ransom for releasing the hijacked account).

Other schemes involved typosquatted Web sites, such as tvvitter.com (currently unavailable), that harvested the log in credentials and automatically added some unwanted followers. The links displayed on these (possibly bogus or hijacked) profiles redirected the users toward a dating site, probably in some pay-per-click or ranking fraud.

Another phishing scheme involved an alleged third party Web site that sent messages about the opportunity to rapidly increase the number of Twitter followers. To complete the process, the Web site demanded the Twitter username and password. When provided, the unwary user's list of followers was automatically spammed with the same message.

Last but not least, the most recent attack relied on a combination of spam disseminated via different accounts and a maliciously crafted PDF that downloaded via an iFrame exploit when the user clicked a link purporting to display the "Best video".

Besides the clip, the page hosted in Russia also delivered System Security 2009 rogue software.

It is true, that analytics and commercial directories are most likely tools for companies, rather than individuals, and there are very slight chances for business accounts to be hacked via this type of technique. But, if we consider that behind any corporate account resides, in fact, one (or several) person(s) in charge with its maintenance and update, then the human factor is equal to (if not of a higher importance than) the technological one and should be considered accordingly.