The inevitable rise (and fall?) of 'twishing'

The phishing or "twishing" situation happening with Twitter is merely the tip of the iceberg. Rather than dig into the situation myself -- including the OAuth debate -- I've turned it over to one of  my more technical-brained friends.
Written by Jennifer Leggio, Contributor

The phishing or "twishing" situation happening with Twitter is merely the tip of the iceberg. Rather than dig into the situation myself -- including the OAuth debate -- I've turned it over to one of  my more technical-brained friends. Damon Cortesi is a security consultant who has also authored a multitude of Twitter tools, including the popular TweetStats and DM Whacker. Read below for his good perspective on the progression of phishing and Twitter's security challenges.

Guest editorial by Damon Cortesi

The inevitable rise (and fall?) of ‘twishing’
The social network Twitter was the unfortunate target of some pretty heavy phishing this past weekend. Sadly, this is most definitely not a new concept. Phishing and spam frequently go hand-in-hand and the first major commercial Internet spam is often cited as occuring in 1994.

What's also not new is the progression that this will take. Time and time again, we have seen this trend repeat itself in various facets of the Internet.

We'll start with the simple example: email Email phishing attempts were originally very obvious and had frequent evidence that indicated a definite lack of legitimacy - spelling errors, incomplete sentences, incoherence, etc. Fast forward to today and I receive emails that are exact copies of legitimate marketing emails sent out by banks and other agencies. The only differences are that the link behind the text points to a different URL, and the email originated from a source not owned by the purported company. I've often seen these and had to think twice before I realized I didn't even have an account at that institution. The majority of these emails are targeted at financial gain by obtaining banking credentials or personally identifiable information.

Now let's take a look at social networks With the advent of such a large and diverse population on the Internet, social networks have risen tremendously in the past few years. Facebook, for example, has over 140 million active users. MySpace doesn't publish its statistics, but according to compete.com, both sites had approximately 50 million unique visitors in November, 2008. With that many users in one place, it is a target rich for phishing.

Both MySpace and Facebook have dealt with various forms of spam and phishing attacks. The gold-mine (for scammers) is that these networks facilitate instant communication and proliferation of scams.

There is also a progression here as these networks have grown. Step 1 is that early attacks on MySpace and Facebook may have been fairly rudimentary and email-based. Which takes us to Step 2. Once the attackers realized how the social networks functioned, however, we saw attacks in early 2008 taking advantage of Facebook wall posts.

This is a highly effective method as it takes advantage of false sense of security these networks provide. It requires more development from the attackers, but given a network of 140 million active users in any given month...that's definitely worth it.

Next: Twitter's security challenge -->

One year later and we have this past weekend's attack on Twitter. This was a fairly rudimentary and noisy attack, but it certainly indicates that Twitter is now mainstream enough to be successfully taken advantage of. Potentially related to the phishing attack (it is believed Twitter's support tools were externally accessible), is the fact that 33 accounts were hacked due to a compromise of Twitter security. Perhaps fortunately, the messages posted under the guise of these popular accounts were childish and did not attempt to redirect users to adware/malware sites, save for the richest target.

While the openness of the Twitter network was likely critical in raising awareness of the phishing attack, it could also be detrimental if future attackers are slightly more inconspicuous in their attempt. Barack Obama's Twitter account was also hacked, but as Twitter was in the middle of handling the phishing fiasco...the offending message was removed within minutes. Imagine if that account had been subtly used days or weeks later when Twitter wasn't looking - it has over 150,000 followers. Every single one of those users could be at risk.

Twitter is a particular challenge due to generally accepted practices on the site. For example, it's not uncommon for somebody to have tens of thousands of people that "follow" them. This is a spammer's dream - the ROI is fantastic when compromising one account leads to thousands of followers. They go for a decent price on black markets where social network accounts are traded and sold. Further, Twitter users are popular of "re-tweeting" popular URLs or links. It's not difficult for a simple application to gain immediate popularity. Twitter even had a phishing scare in late 2008 when a sparse site called Twitterank spun up overnight, but had no apparent design or purpose. As a proof of concept, I made a direct spoof of the site at TwitterAwesomess and people were more than happy to put in their credentials. Finally, Twitter shortens any URL greater than 30 characters and it is common for people to do this manually to save space in the 140-character world. As such, it is nearly impossible to know the final destination of links further leading to little information a user has at their disposal to make smart decisions.

This weekend was the spamming and phishing community learning how Twitter works. The phishing attempts will only progress from here. With such a lucrative target, I would not be surprised to see a smart attack in the future that is adjusted to the quirks of how people use Twitter versus other networks.

Damon Cortesi is an information security consultant that specializes in web application security and product development surrounding automation and visualization of security data. He is a director at Alchemy Security and blogs on Web application security at StartupSecurity.infofocusing on issues relevant to startups. Feel free to harass him on Twitter where he's known as @dacort.

Editorial standards