Friday 5 July 2013

Spear-Phishing On Twitter: How Not To Become The Catch Of The Day

Spear Phishing
Regular phishers send out random phishing e-mails in an attempt to hook as many people as possible into giving away sensitive information. Spear-phishing is a more targeted and insidious pursuit. It targets specific people and entices them to reveal information to cyber criminals. Cyber security professionals are constantly updating their tactics to compete with and stay ahead of these cyber criminals.

Cyber-criminal-turned-security-consultant Kevin Mitnick says that cyber criminals can easily find targets for spear-phishing through social networks. "I can go into LinkedIn and search for network engineers and come up with a list of great spear-phishing targets," Mitnick explains. "Then I go onto Twitter or Facebook and trick them into doing something, and I have privileged access."

Twitter, in particular, has become a frequent spear-phishing target. Knowing how these attacks work and how to avoid them can prevent the loss of important data.

Spear Phishing Through Direct Messages

When people receive direct messages on Twitter that look like they're from legitimate connections, they may be tempted to click on malicious links. A recent example of a direct message spear-phishing attempt involved a Twitter direct message that said something like, "Funny picture of you, check it out, LOL" followed by a shortened URL. When the user clicked the link, a fake Twitter login screen appeared. The user entered credentials and gave the criminals control of the account.

Take the following precautions to avoid getting caught by direct message spear phishing:

  • Never open a link that you receive in a Twitter direct message. You can always confirm whether or not the person actually sent the message by calling or e-mailing to verify its authenticity.

  • Check the URL. In this case, before logging in, check to see that the domain name is "" Some criminals may use a URL like "" that looks legitimate when the user only glances at it.

  • Think about the context. Never click a direct message that seems suspicious in any way.

Suspicious Apps Asking You to "Login With Twitter"

In April, an app called "" circulated around Twitter. The app claimed to use information like a Twitter user's age and number of followers to calculate how much time the user had spent on Twitter. Users simply clicked a button on the app's home page that said, "Login With Twitter." This app was another way of obtaining Twitter login credentials. has changed names a few times since people started to complain that the app had a broken dashboard, bombarded them with ads and sent tweets from their accounts without permission. For instance, it has used the names "" and "Twalue." To stay out of danger from apps like this, take these steps:

  • Avoid "Login With (Social Network)" buttons. If you want to post to social media through an app, then do it manually instead of allowing the app to have automatic access to your account.

  • Use different passwords for everything, and change them regularly. For example, don't use your Twitter password as your bank account password.

Twitter Account Hijacking

Some Twitter links can inject a "man-in-the-middle" attack into your Web browser. For example, a recent Twitter spear-phishing attack from the Netherlands involved targets receiving a tweet from a trusted connection that said, "Beyoncé falls during the Super Bowl concert, very funny!!!!" When users clicked the link, malware took over their Web browsers and looked for vulnerabilities to exploit. When the unknowing users logged in to other sites, such as their financial institutions, criminals automatically had their banking login credentials.

Avoid hijacking by keeping these points in mind:

  • Keep your antivirus software up to date. Download updates immediately, or set your program for automatic update.

  • Always install patches and operating system updates. Of course, software updates and patches pop up for installation when you're in the middle of a project, and you probably don't have time to download them and restart your computer. Think of it this way: You don't have time for a malware infection or identity theft, either. Just stop, drop what you're doing and download the update.

  • Respond quickly if someone reports unusual tweets from your account. If a friend tells you that your account is sending out strange or spammy tweets, then go to Twitter's login page immediately and change your password. If you've used that password on other accounts, like your online banking service, then change the password in those places as well.

About The Author: James Hallowell provides social media consulting services for a number of SMBs and enterprises throughout North America.

Did you find this article helpful? Have you been the target of spear-phishing on ‎Twitter? Please let James and myself know by leaving us your valued comments.

Would you like to guest post on the blog? Please use the Contact tab above to get in touch if you write business-related articles or articles on the topics of Internet Marketing, Affiliate Marketing, Social Media Marketing/Optimisation (SMO), Blogging, Search Engine Optimisation (SEO) or Search Engine Marketing (SEM).

If you found this or any of my other posts helpful, don't forget to share the posts to your favourite networks using the toolbar below or by using the "+1" and "Share" buttons located at the bottom of each post.

As ever, if you want to stay up to date with the latest blog posts, don't forget to follow via Google Friend Connect (button on sidebar), on NetworkedBlogs, via Email (maximum of one email per day), on Facebook and Google+ or by subscribing to our blog feed at:

You can also follow me on Twitter @djones1509, Google+ and on Facebook at:

Until my next post on Monday with ten tips for small businesses using LinkedIn, be safe online and have a wonderful and relaxing weekend!

© 2013. This article is DMCA protected. Republication is prohibited.


  1. Great tips! This is becoming a real problem on Twitter but if you stay vigilant, then your personal data will not fall into the hands of cyber-criminals.

  2. I agree with Daniel, the key is constant vigilance. Don't let those money making tricks fool you.


Please note: To combat comment spam, non-constructive comments and comments containing links will be rejected. All submitted comments are subject to moderation before they are published on the blog.

I have received reports that some people have been experiencing problems when commenting on the blog. If you experience any problems when posting your comment, please send me an email with your comment plus the post title using the Contact tab above and I will manually include it for you. You can also send your comment via private message on Facebook.

Your blog comments are always appreciated and thank you for your patience while we try to resolve this issue.