I’ve Just Been Phished – Now What? – Part II – Twitter

July 22, 2011
July 22, 2011 Jason

I’ve Just Been Phished – Now What? – Part II – Twitter

Yesterday we talked about some of the phishing scams on Facebook (phishing: the act of trying to get your personal information through deceptive means).  The practise isn’t limited to Facebook – you see it in your email, your Twitter, and even on your phone.  Information has huge value, so unscrupulous people are constantly trying to trick you into sharing your info.  Here are a few ways to prevent them from getting what they want.

Odd DMs

You’ve likely received an odd Direct Message from one of the people you’re following.  One of the current examples says “LOL can you tell me if its you in this video?…<link>” Being that this message came from a person you know, you probably want to go see why you might be in the video.  Click the link, which brings up a page asking you to approve the page to grant access to your Twitter account.  Once you click “Allow,” you’ve just granted full access to your Twitter account.  The first thing that normally happens is the app will start sending DMs out to your followers, in an effort to try and get them to share access, so the app can continue to perpetuate itself.

Request to Login to Twitter

I use Google alerts for a few keywords that interest me, and one of my favourite topics is – me.  So when I got one of the daily alerts telling me that Brandscaping was mentioned, I clicked the link and it brought me to a Twitter login page – so I could enter my username and password.  The page looked exactly the same as the official Twitter page, but if I had checked the URL, I would have noticed it wasn’t Twitter.com, but actually some variation. Since I have a few Twitter accounts, it’s not unusual for me to have to login manually, but as soon as I entered my info, I remember that I was already signed in on this account – but it was too late, I had already shared my login and password info for Twitter.

Why doesn’t Twitter just block these scammers?

Twitter is really good about cracking down on these phishing attempts, but it’s not possible for them to catch them until they are rampant.  There are too many different ways to setup these scams, so it’s in our best interest as active members in the space to be proactive and aware of unusual activity.

I’ve been Phished – now what?

If your friends are contacting you asking why you’re pimping discount medication on your Twitter account, you’ve probably been compromised.  Here are a few steps to stop it from continuing.

  • Change your password – It’s good practise to change your password regularly, so think of this as an opportunity to make one that is hard to crack but easy to remember.
  • Check your Apps  – click on your profile name in the top right of the screen and then choose settings.  On the top row, scroll over until you see “Applications”.  This should show you a list of all of the apps you’ve allowed to access your Twitter account. Revoke access to the apps you don’t recognize.  If it’s an app you use regularly, you will be prompted to reauthorize it the next time you visit that site.  (Any apps that are marked as “suspended” should have access revoked immediately
  • Let your followers know – just as a courtesy to your followers, send out a quick tweet saying – “oops, I was phished – apologies for any offensive direct messages or tweets”  or something along those lines.  It shows that you’re paying attention to your account, and that you really aren’t trying to sell those little blue pills. Unless, of course, you are.

The authorization process on Twitter is pretty hard to get around, so there are really only two ways that scammers can get you to provide your info.  The first is to trick you into logging into their copy of the Twitter website.  The second is to get you to provide access by clicking Approve on the app.  If you’re paying attention, you shouldn’t have to worry about either.  Take a look at the Twitter login url – it should always be Twitter.com (Paypal.com had an issue a few years ago, where the phishers were using the url Paypa1.com – using the number “1” instead of a lower case “L” – it was virtually impossible to tell the difference!) Look at the app requesting permission to access your Twitter account.  Is it one that you want to grant full access to your Twitter account?  When in doubt – Deny.

If you’re getting inundated with messages from your friends on Twitter, send them this post – hopefully it will help them out, and clean up your DM inbox.




Comment (1)

Comments are closed.

Discover the difference a professional copywriter can bring to your message.