Twitter Phishing and How to Protect Yourself
Twitter Phishing and How to Protect Yourself
Learn how to protect yourself from a string of phishing attempts going around Twitter
Known Phishing Attempts
Phishing campaigns have been ramping up against politicians and prominent anti-imperialist individuals in recent weeks.
Individuals such as George Galloway, Geoffrey Young, Dylan Ratigan, and Seth Harp to name a few, have been targeted by these phishing attempts. Mr. Galloway posted on Twitter, sharing his suspicions of a strange Direct Message he received on Twitter.
A random Twitter user quickly responded, noting the WHOIS records of the site indicated that it was recently created, obviously not from Twitter. Mr. Galloway was not the only one to share his phishing attempt on Twitter. Geoffrey Young also shared some pieces of the message he received, noticeably different from the one sent to Mr. Galloway.
We reached out to Mr. Young and received a full copy of the message listed below, link redacted.
Feedback Center
Violation detection Hello dear user, we think you are violating user policy. You may have violated:
use a trending or popular hashtag to disrupt or manipulate a conversation or to attract traffic or attention to accounts, websites, products, services or initiatives; and
Tweeting with excessive, irrelevant hashtags in a single Tweet or multiple Tweets.
apps – use or promote third-party services or apps that claim to add followers or engagement to Tweets;
sending bulk, aggressive, high volume, spam replies, mentions or Direct Messages;
posting and deleting the same content repeatedly;
“follow loss” – following and then unfollowing multiple accounts to inflate one's own follower count;
following indiscriminately – following and/or unfollowing a large number of irrelevant accounts in a short period of time, especially by automated means; and
copying another account's followers, especially using automation. Your account will be permanently deleted from our servers within 3 business days for violating the policy. If you think we made a mistake, you should use this form:
[LINK REDACTED]
After filling out the form, you will be redirected to your account again. If there is no e-mail and number associated with your account, you need to add it. We will notify you of the outcome of your request. Thank you for your understanding.
Successful Phishing Attempts
The individuals above luckily caught the attempt and were able to secure their accounts before damage could be done. Others, however, were not so lucky. Seth Harp for instance, received a similar phishing message, which appears to have resulted in his account being compromised. At the time of writing this article, Seth’s account is locked down in a protected status
Once an account is compromised through a successful phishing attempt, not only is the information on the account compromised (Private messages, Contacts, and so-on), the very identity of the account itself can be hijacked and weaponized to add a sense of legitimacy to the phishing campaign.
In one of the examples below, we can see how Seth’s account was then used to send direct messages to other users, spreading the phishing link from a verified account.
The perception amongst some users is that verified blue checkmark accounts on social media are trustworthy, however this is not the case as seen above. A verified status does not determine whether an account is compromised.
Protecting Yourself
We will assume a low-level of technical knowledge in our coverage and recommendation. We will pull a lot of information from the Open Web Application Security Project® (OWASP), which is a nonprofit foundation that works to improve the security of software. OWASP is an excellent resource to stay up to date on most security related topics.
Since the subject of this article is specific to Twitter, our recommended steps will keep this in mind. If you are just looking for a crash course on phishing, you can check out an OWASP presentation.
Never Trust a Link
Ever heard the phrase “Trust but verify?” In this case, it is “Verify, do not trust.” Another important thought to consider when receiving a communication is “Was I expecting this?” If the answer is no, the communication should be suspect.
Any message you receive about changes on any type of online account should be read with the highest scrutiny. What makes phishing so successful is the play on the anxiety of the individual getting their account banned, usually offering a time constrained solution that conveniently involves giving your personal information away.
Verifying a link to a website can be tricky if you are unfamiliar. Thankfully there are online tools available to quickly scan and analyze a link for more information, such as VirusTotal, which can also scan files as well for malware.
Everyone has probably seen the advertisements on social media for various VPN services to protect your online identity. Although they will not protect you from phishing, they can ensure that your IP Address is obscured, along with encrypting traffic. It is advisable to have a VPN, such as ProtonVPN, or Private Internet Access when browsing the internet while connected to public Wi-Fi networks.
It must be stressed that if you are using a VPN and click on a phishing link, although your IP Address may be hidden from the server, any information you enter in forms on that webpage is still recorded by the server.
Link Analysis
If we analyze the link in the message sent from Dylan Ratigan, we can take you through a journey of what to expect. Using VirusTotal we actually do not receive any additional information except that the final URL (Including any redirects) is the one shown in the message. In this case, we can clearly see it is not https://twitter.com/ URL, so absolutely no credentials should be entered here.
But what if you opened
he link? You will be greeted with a Twitter-themed website page, requesting your username.
Keep in mind, this site is not Twitter, it is a fake. What is being done here is retrieving your supposed username. The website does not even make an attempt to verify if the username exists. We used an obviously non-existent Twitter username to demonstrate that the first form of this phishing site never actually verifies the user exists before proceeding.
From there, you are taken to a form requesting the password for your username. In our example, because our user obviously did not exist, it returned an invalid username and password.
If you were to enter a correct password however, the phishing website will automatically store your credentials and verify that they are correct against Twitter’s authentication service. From there, an attacker would be able to change your password through the use of a script, automating the theft of an individual account. With full control over an account, an attacker would be able to use the account how they see fit, including using the account for malicious purposes.
Use Strong Passphrases
In the past, the common misconception about passwords is that the more convoluted and random they are, the harder it is to crack. What determines the security of the password is typically the entropy. Length will go farther than just adding addition capital letters or symbols to your password. The more characters, and the more diverse set of characters, can help to increase password entropy and make your password harder to brute-force.
Password Managers
When deciding what password to use, keep in mind you can always utilize a password generator, such as the one on LastPass. In terms of using a password manager though, it is advised to utilize Free and Open-Source solutions, such as KeePass, which is a vetted password manager that is multi-platform.
The reason we advise an open-source solution is primarily because some services are proprietary, meaning you have no insight into how your password is stored, secured, or monitored.
Use Unique Passwords
Using unique passwords for every service you use online can help you avoid a headache in the event your password is compromised. If you re-use the same email address and password across all services, any attacker can just submit a “Forgot Password?” request, sign into your email (Because you are using the same password!) and may be able to steal additional accounts. This can cause real-life financial damage and devastation to you and your family if one of those accounts are used for banking services.
Below is OWASP’s recommendations on password length, though primarily directed at engineers, you’ll see why it gives these recommendations. It is strongly recommended to have a password larger than 8 characters as they are extremely easy to brute-force.
Password Length
Minimum length of the passwords should be enforced by the application. Passwords shorter than 8 characters are considered to be weak (NIST SP800-63B).
Maximum password length should not be set too low, as it will prevent users from creating passphrases. A common maximum length is 64 characters due to limitations in certain hashing algorithms, as discussed in the Password Storage Cheat Sheet. It is important to set a maximum password length to prevent long password Denial of Service attacks.
Multi-Factor Authentication
Multi-Factor Authentication can be a helpful security measure if you have fallen victim to a phishing attempt or if you have a weak password; however, it is not infallible. In fact, having Two-Factor Authentication if used through text messages or phone calls can put you at risk for losing complete control over your online services. One of the more intricate methods of obtaining unauthorized access to your personal data is using social engineering in addition to phishing.
Social Engineering
Social engineering is a practice of using deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. To understand what this means in the context of Multi-Factor Authentication, we must first discuss how most major carriers authorize changes to your mobile phone account.
Most carriers offer a service to activate a new SIM Card with your mobile phone number in the event your phone is lost, stolen or damaged. It is an added convenience where you can either visit the carrier in person, or call them and ask them to activate a new SIM Card. If you call, your carrier will typically ask a series of questions to verify the identity of the caller. These questions can range anywhere from a unique pin number, generic security questions such as where you were born, or even just confirming the billing address and ZIP code.
This means that an attacker would be able to scan through your social media accounts to look for your general location, where you were born and even information connecting you to relatives that can be used to answer security questions. You may also unintentionally give away this information in person.
If you were to go on a date with someone new at a bar or an acquaintance you may already know, you may unintentionally give away sensitive information that might compromise your personal data. Questions like “I went to Harvard, where did you attend?” seem perfectly normal conversational questions, and they are, but this is also a common security question online services and your carrier may use to authenticate you. You may also unintentionally divulge the place you were born, what you do for work and information about your parents.
If an attacker in person, or online scouring your social media platforms were to piece all this information together, they may have enough of your information to perform an attack that is referred to as a SIM Swap Scam, also known as SIM Splitting, SIM Jacking or Port Scam.
SIM Swap Scam
A SIM Swap Scam is when someone calls your mobile carrier using your own personal information to answer billing or security questions to pose as you. If your carrier authorizes the attacker as you, they would then be able to change your account services or activate a new SIM Card with your number rendering your phone inactive and useless against the attack.
From there the individual would be able to intercept any text messages, phone calls and Multi-Factor Authentication messages. The attacker may also be able to perform password resets through various online services using your phone number as a method of resetting your password.
This unfortunate incident has already happened to politicians, celebrities, and even executives of social media giants such as Twitter’s chief executive, Jack Dorsey. SIM Swap Scams utilize Two-Factor Authentications false sense of security to gain full control over the victim’s phone number. Two-Factor Authentication, although useful, is also an inherent security risk within itself as you are putting your security in the hands of a third party who may not be secure.
Protecting Against Social Engineering
There are a few simple ways you can protect yourself against social engineering tactics such as SIM Swap Scam. The easiest method is to ensure that your social media profiles do not disclose sensitive information publicly.
Restrict as much personal information on your social media as you possibly can to avoid having it readily available for someone who may have malicious intent.
If a website that offers security questions as a form of authentication, it is not recommended to answer them honestly. If you answer honestly about where you live, it makes it easier for someone to replicate your answers.
Try to come up with a unique phrase or word that only you remember that is completely unrelated to the question being asked. Creating different security questions and answers for each individual online service will make it even more difficult for someone to compromise you through your security questions.
Lastly, call your carrier and request that absolutely zero account changes can be made over the phone and require that they verify your identity in person with a valid photo ID. If your carrier is unable to accommodate this request and insists you must authenticate with a pin or security question, ensure that the security question answer you use is unique to only your carrier and is not accurate.
Virtual Private Networks (VPN)
Everyone has probably seen the advertisements on social media for various VPN services to protect your online identity. Although they will not protect you from phishing, they can ensure that your IP Address is obscured, along with encrypting traffic. It is advisable to have a VPN, such as ProtonVPN, or Private Internet Access when browsing the internet while connected to public Wi-Fi networks.
It must be stressed that if you are using a VPN and click on a phishing link, although your IP Address may be hidden from the server, any information you enter in forms on that webpage is still recorded.
Cleaning House
One final note for our readers on what we refer to as “Cleaning House.”
If you are not the type of person to regularly delete old messages/emails, you are risking that information being exposed in the event of a successful phish. A Twitter account for instance, if compromised, might have thousands of extremely sensitive private messages. If these messages had been read and discarded, an attacker would have no way of seeing that information.
It is advised to regularly delete your emails and messages so that the amount of information contained in a compromised account is limited.