Those of you who have spent some time on Twitter are doubtless familiar with DM-based (DM = Direct Message) phishing attacks. When people fall victim to these they generally report that they have been “hacked”, but that normally isn’t the case. Saying that you have been hacked implies that someone worked out what your password was, or found a way around it. Doing that is hard. Phishing is much easier, and more common. As the name suggests, it relies on bait. The phisher tries to get you to click on a link that takes you to a malware site. Because you have actively clicked on the link, it is able to harvest your password.
Most people quickly get the hang of this and learn not to click on mysterious links sent to them via DM. I certainly thought I was too smart to do that. But today I got told that my account was sending out phishing DMs. Eek.
First up, apologies if you got one. I’ve taken the recommended precautions, which should have put a stop to the problem. But I want to know how it happened, because I don’t click on links. What I did do this morning was open a conversation. That is, I had a phishing DM from someone, and I went to the page of such messages to read it. I do that because if you don’t then the Twitter client will keep reminding you that you have unread messages. I know I didn’t click on the link. So did just reading the message reveal my password?
There are other ways for people to get your password, but they involve signing up for services, and Twitter has no record of my having done so, so I am bemused. Is there anyone out there who knows more about the security issues who would care to comment? FYI, I’m pretty sure that I was using my iPad when I read the DM, so that would have been through Tweetbot, not the standard Twitter client.
I’ve had two phishing attempts in a week. Both have been links from people I follow or who follow me. The links have taken me to a page which looks like Twitter login page so it is bound to succeed in tricking people to sign in with their credentials and thus reveal them to the phisher.
I did not submit my credentials and to my knowledge don’t send out phishing messages myself, so it’s cool, but this is the technique I observed myself.
Yeah, sometimes they can be very clever. But in my case I never left Tweetbot.