In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. (Wikipedia)

Yesterday a series of phishing attacks were launched on Twitter, the goal of which was to steal the passwords of users and then use them to get other user passwords in order to send out links to another phishing site. Phishing attacks are usually launched on financial institutions like online banks and information-sensitive areas like gmail for maximum profit.

The end goal of this particular Twitter phishing attack was to make money by redirecting users to adult dating sites, so the scammers can earn money through an affiliate program.

In this case here’s a lowdown on what happened, pay attention because this is usually how most phishing attacks work:

In the first Twitter phishing round, hackers created fake Twitter accounts and then started following legitimate Twitter users. Twitter notifies users when they have new followers, sending the user a link to the follower’s Twitter profile page. In this case, the profile page contained a link to a phishing site. So the victim, while investigating his new follower, would end up on the fake site Tvviter(.)com (this page is not safe to visit) where he would be asked to enter his Twitter username and password.

Once the phishers obtained their victim’s login credentials, they used them to launch the second round of attacks. In this round, they posted Twitter messages such as “hey check thiss out” or “Hey. there is this funny blog going around.” These messages include a link to another phishing site.

Here are some recommended security precautions should take note of:

1. Always check the URL in the address bar before entering your credentials for any online service.
2. Never click links from friends if you don’t know where they lead
3. It seems obfuscated URLs are becoming ever more a tool of cybercriminals, you should consider using longurl as a browser plug-in to let you see the true destination of shortened URLs before you click on them.

Which is also a reason why you should consider using Tweetdeck as your Twitter client because Tweetdeck has a feature which allows you to see the full URL of each shortened link before you click on it, very useful indeed.

Related posts:

1. Twisten.fm Helps You Discover New Music with Twitter
2. Tweetree: A Better Way to View Your Twitter Stream
3. Twtifave: How to Find Out Who Favorites Your Tweets
4. Who Were the Users that Joined Twitter First?
5. Why Was the Dalai Lama’s Twitter Account Suspended?

Did you know that clicking on an innocent link on a webpage while logged into Twitter allows a malicious cracker to update your Twitter status without you knowing? This links is usually invisible or placed under a commonly used button.This is known as click jacking.

An example of clickjacking on Twitter was revealed by James Padolsey who also recommended that one install the NoScript firefox addon as a method of protection. See his article to get an example of clickjacking in action.

Using the basic technique of positioning an iframe over a button coupled with Twitter’s ’status’ URL parameter I have created a small demo which shows you just how serious (and annoying) this could be! It will only work if you’re currently logged into Twitter.

Via Dark Reading, which also offers a quote from some researchers:

Robert “RSnake” Hansen, who, along with fellow researcher Jeremiah Grossman, first revealed the dangers of clickjacking, says Twitter isn’t as attractive a clickjacking target as other vectors, however. “I don’t see it as all that interesting as an attack point compared to routers, banks, Webmail, etc.,” says Hansen, founder of SecTheory. “But I can see why there’s a fascination in making people say things they didn’t intend to say.”

Related posts:

1. How to Add a Retweet Button to the Twitter Web Interface
2. Creating a Twitter Feed for Conferences and Events
3. Twitter Magnets: Create Poetry and Share it on Twitter!
4. Combining Twitter With Your House Security System