So, why do I warn so often that I'm beginning to feel like the boy who cried wolf?
The answer is I work on making your computer more secure. I do that for Intel. They also gave me the right to twitter about things I work on--not to give away secrets, but to relay things that I have learned in my job. That doesn't mean I speak for Intel. These are my own insights and opinions. So, while my job at Intel is not to give advice on internet safety, I don't feel I would be doing my job if I didn't pass on things I learned along the way that could help you stay safe. Thus, I pass along these personal tips, one fellow human being to another.
If you've read previous blog postings by me, you will see how I've talked about related topics before, email spam, general twitter safety, etc.
This time, I'm going to address the current variation of that same problem: Direct Message (DM) attacks.
Twitter has gotten popular and important enough to merit its own attacks. It is not clear how serious these attacks are, but we know for certain that the attacks are acting like a worm or virus, spreading from one hacked account to others. The way this attack appears to spread is through DMs sent from the hacked accounts. The DM goes out to the followers and invites them to play a game (test your IQ) or visit a site where the followers information is supposedly saved. I've gotten both of those messages from tweeps who I was following and were hacked.
Next, when you visit the site, the site needs your twitter information, either by you logging in, or by you telling twitter to allow the application access to your account. Either way, the application then gets accessed to your account, and you've been "pwned". The application now can mascarade as you and use your follower list to spread farther.
Now, if this is all the hack is, it is basically a proof-of-concept test. Someone needed to prove that they could use twitter to spread a virus. And, so far, that may be the case. On the malware scale, this is quite benign. It takes some work to clean up, but it hasn't done any real damage, except perhaps to the hacked people's reputation.
However, experience has shown that these initial "prank" hacks get quickly replaced by more serious attacks that our out to steal something from you, something that likely has more tangible value-often to steal information that can used for identity theft or other forms of fraud.
Therefore, we need to take these pranks seriously and use them to alert us to the imminent danger that is coming when someone figures how out to use this method of spreading a virus to send a more dangerous cargo.
So, what is a person to do?
- The first step is to stop following links in DMs. If someone sends you a link in a DM, treat it like it was spam email.
- Moreover, do your firends a favor and don't use DMs to send your friends links either. If we make it a practice, to never send a link as a DM, then any DM we get with a link, is clearly a phish or a hack. In fact, I like to think of a DM as the twitter equivalent of a whisper. So, the only time I DM is when I want something to be private, something I would whisper. However, sharing information is not something I do in private (unless it's private or secret info), so DM'ing a link is odd to me, since a big part of twitter is sharing with the world.
- Change your password now, before you are hacked. Make it something safe and make it something different from all your other passwords. Write it down if you have to. Better yet, use a "password manager" to remember your passwords for you, so you can have lots of safe passwords, all different.
- Go through the list of applications you have given access to your twitter info to and revoke the permissions for any you don't use or that seem suspicious. That list can be found in your twitter settings/connections.
- If you have been hacked, do steps 3 and 4 at least twice in a short period of time. This will hopefully, keep the malware from noticing that you have changed the information and restealing it. There is a small window of "vulnerability" if the software has both your password and is authorized to act on your behalf that the malware can fix up the one you change by using the other access right. However, it is unlikely that this version of the virus is sophisticated enough to do that.
- In addition, if you suspect you may have been hacked, run your computer's virus/spyware scanner(s). Right now, it doesn't look like this particular attack is loading other malware onto systems, but it is only a matter of time before someone modifies it to download other malware onto your computer at the same time it is spreading itself.
- Be prepared for the attack to change. Right now the attack is spreading via DMs. The attack could have just as easily spread via @ messages or RTs or even plain tweets. That means we all have to be careful about which tweeple we follow links from.
- Figure out who you trust and what you trust them on. For example, if you are reading this, you probably trust me for security related tweets and maybe another topic or two, Intel, programming, science, MBTI, Enneagram, or twitter itself. However, if you were to get a tweet from me on a hot-stock pick, you should probably realize that I don't have that kind of information, and wouldn't share it in a tweet even if I did.
- Next, if you are sharing links, check them before you send them. Make certain the link you are sharing actually points to the item you want to share. And, if you are going to share links, make sure your virus software is running, so that you will know when you get hit by a drive-by infection from a bad link before you RT that link out to others. And, if you are visiting a link from someone you aren't certain you trust (a new friend, you have just started following for instance), use one of the tools that help you expand short links before you follow them, so that you can check that it looks like a reasonable address before actually visiting the site.
- Remember that these are only guidelines to stay a little safer. For now, they should suffice, but some of us still will get hacked. Eventually, unless we find a way to convince all the criminals to stop spreading malware, we will probably have to be more careful, so watch for follow up advice.
