Twitter Adds Security to Combat Phishing

This was written by Mallory Micetich on Wednesday, March 10, 2010, 11:35.

As a reaction to increasing phishing attacks against Twitter users, Twitter is tightening security. Released, all direct messages submitted to Twitter will be viewed through a new URL, twt.tl. This new coding will not effect the user interface, but provide a more secure platform for direct messages.

This site will capture a blacklist of URLs that have been linked to phishing attacks. On their blog post about the new security features user delbius said “we’re launching a new service to protect users that strikes a major blow against phishing and other deceitful attacks. By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe.”

Recent phishing scams against Twitter users are a three step process. As outlined on the Twitter Blog, first accounts are sent a direct message with subjects like “LOL is that you?” Then once the message is opened a link takes the user to a fake login page. The user enters their information to the page and the second phase begins. Accounts that are newly compromised begin to send out more messages. Lastly, the criminals then monetize by sending out spam links.

Twitter is able to detect infected accounts and reset the passwords allowing users to resume normal use of their accounts. Despite this ability, Twitter prefers to stop attacks before they start.

According to an article from The Register, social networking scams have risen 70% in the last year. Sites such as Facebook and Twitter have seen a majority of these attacks. Social networking attacks are more than just an inconvenience, but pose a serious security threat. Even though best practices regarding online passwords discourage repeated usage, many do use the same password for social networking sites and more important sites such as webmail and banking sites. With passwords in the hands of criminals, a simple microblog infraction becomes a dangerous threat.