How bad Twitter links & apps can trick you

For more about tricks spammers and hackers use, read “How spammers attack Twitter.”

1. You can do nothing wrong, and still get hacked or hijacked!

Here’s why, and what you can do about it:

  1. You could think you are logging into Twitter.com, but not notice it is a lookalike phishing site.
    How to prevent this: Don’t login to Twitter.com unless you typed it in, or you read “twitter.com” in the URL bar of your browser.
  2. If your user information is stolen somewhere else, you could get hacked on Twitter.
    How to prevent this: Use unique passwords on each site you login to.
  3. Twitter can block a link from the bad guys, but in the next tweet you see, the bad guys can have replaced it with a working link.
    How to prevent this: Be careful what you click, and warn others if you learn of problems.
  4. An infected computer can steal your login info.
    How to prevent this: Keep your anti-virus up-to-date, and don’t login on computers that you don’t manage yourself.
  5. Using Twitter over a wireless connection (or on a compromised network) can expose your user information.
    How to prevent this: Turn on “HTTPS Only…Always use HTTPS” at http://twitter.com/settings/account

2. How it starts

Imagine you see a link in a tweet that says “OMG! Read the latest blog post from Twitter about this Twitter app!” and click it. Let’s look at six common things that can happen next:

  1. It can take you to the latest blog post from Twitter.
  2. It can take you to something that isn’t the latest blog post from Twitter, but tries to pretend it is. In other words, a malware or spam page.
  3. It can take you to an advertising page selling something, which can be either spam or malware.
  4. It can take you what looks like the authorization page for a Twitter app. This can be a real app that has NO bad intentions; a real app that DOES have bad intentions; a fake app page (usually with a spot to type in your username and password).
  5. It can take you to some version of a login page, for example, something that looks like Twitter.com after you have logged out. This is the worst case. It’s trying to get you to believe you have somehow been logged out of Twitter.com due to an error, hoping you will click to login so they can steal your login info and hack your account. If successful, not only can your Twitter account be hacked, they may try your login info on other popular websites like Facebook, Yahoo, LinkedIn etc and see if they can hack into those accounts as well.
  6. It can take you nowhere, possible because it used to lead to an app Twitter has suspended, or a link that has been blocked.

3. Warn others even after Twitter catches bad links

Option 6 means Twitter is protecting you. So you might figure that other people who click the Tweet don’t need to be warned, since Twitter has blocked the bad stuff. But the bad guys, as soon as they detect that a link or site has been blocked, keep tweeting the same or similar things with new links and websites that do the same bad things. And until Twitter catches it again, more people are spammed or infected with malware.

This is one reason spammers and accounts that send malware links try to create a lot of Twitter accounts, so that they can keep tweeting links to bad stuff. They will vary the text to avoid detection, and change the links to replace links that have been caught with new ones.

Also, realize that many advertising pages are not really designed to sell you something, they are designed to infect your computer or steal your personal information. So even if you’re positive something seems like “harmless” spam, it can be very dangerous.

So if you ever see multiple spam-like messages that you fear others may click on, or click yourself and find it blocked, it’s worth warning others. (Of course, some messages may seem very obvious that you should NOT click on them, and I understand that  you might not want to warn people about them.)

4. Protect yourself and others

  1. Never login to Twitter.com from a link. You should type “Twitter.com” into your browser by hand if you think you need to login, or at the very least, read the URL at the top of your browser very carefully to ensure you really ARE at Twitter.com.
  2. If you think you have been hacked http://bit.ly/BlockBadApps and read http://bit.ly/IfTwitterHacked (tweet this advice).
  3. If someone you trust even a little seems to be sending bad links, DM them and @ them to let them know they may have been hacked.

5. What Twitter does

Besides suspending bad apps (eventually) and blocking bad links (eventually) Twitter may reset passwords on accounts that have been hacked, especially if thousands are hacked at the same time. The @spam @safety @support accounts will tweet or retweet warnings or explanations of problems. And Status.Twitter.com will often share information if a hack becomes very, very widespread. Also, Twitter removes scams and spams hourly and daily.

6. Ways your Twitter account can get hijacked

  1. Your computer can be infected, and whoever is controlling the malware already on your computer can decide to use it to compromise your Twitter account (if the malware is designed to be able to do that). Just being infected doesn’t mean information can be stolen from your computer. Not all malware works in that way
  2. You can give your Twitter account to some site that asks for your Twitter login (even if you did this long ago), either thinking it is okay, or because you were fooled into thinking you were logged out of Twitter.com
  3. You are using a wireless connection, and have not set your Twitter account to https, and your login info is stolen through the air.
  4. You are using a wireless connection, and HAVE set your Twitter account to https, but someone has been “listening” in for awhile and has cracked your information or figured out how to initiate a “man in the middle” attack that fools your computer into thinking it is connecting to Twitter.com directly when it isn’t. These scenarios are exceedingly unlikely, but still possible.
  5. You click something that pops up while browsing the web asking you to authorize something that turns out to be malware.
  6. You use the same password on more than one site, and someone stole your password from one site and is now using it to hack into your Twitter account.

Realize that you can be hacked or infected even if you have done nothing wrong. When a company gets hacked, hackers often try the usernames and passwords they have stolen from the company on other sites. So if you used a company years ago for your email address and stopped using them years ago but didn’t delete your account, if they are hacked, and you use that password on other sites, you could be hacked on those other sites. Yes, they would have to figure out your username, but if you also use the same username or email address on multiple sites, hackers with stolen passwords have all they need.

7. How to make unique passwords easy:

Best is to add a letter to the end of each password so they’re different on each site. For example, if your password is 1W#m3H$ change it by adding a letter that corresponds to the site you’re on:

  1. 1W#m3H$T for Twitter
  2. 1W#m3H$F for Facebook
  3. 1W#m3H$L for LinkedIn
  4. Etc.

Also, although you CAN visit a site that infects your computer just by visiting, or that steals your login info, this is rare. It mostly only happens to people who are not using anti-virus programs or whose anti-virus programs are somehow not working properly. For example, adding an anti-virus program to an already infected computer will not necessarily get rid of all malware.

More commonly, you would have to authorize something that the website pops up before you’re in trouble. Also, stealing your Twitter login info directly just by visiting a site in this way is no longer possible, (though it used to be).

Click here to return to top of article

 

1,369 thoughts on “How bad Twitter links & apps can trick you

  1. Your lawyer can help you seek justice in the following
    ways:. With an increasing demand for child injury lawyer New York, there are
    many lawyers that are making web presence.
    You may be surprised at some of the rules and HR expert and business owner Jean Scheid reveals the ins and outs of
    workers comp leave.

  2. Spot on with this write-up, I actually believe this amazing site needs a great deal more attention. I’ll probably be
    returning to see more, thanks for the advice!

  3. Such references can help you choose the best lawyer
    who can better serve your purpose. With an increasing demand for child
    injury lawyer New York, there are many lawyers that are making
    web presence. Like buying a commodity in grocery stores or finding the right school for
    educating your young or finding the best architect to do the
    design works for you, people tend to look for the best.

  4. Nice post. I learn something totally new and
    challenging on sites I stumbleupon everyday. It’s always useful to read through
    content from other writers and use a little something from
    other sites.

  5. Thank you, I have just been searching for info approximately this subject for a while and yours is the greatest I’ve discovered till now.
    But, what concerning the bottom line? Are you sure in regards to the supply?

  6. Hiya! I know this iss kijnda off topic but I’d figured I’d ask.
    Would you be interested in exchanging links or
    maybe guest authoring a blog article or vice-versa?
    My site covers a lot of the same subjects as yours and I feel we could greatly benefit froom
    each other. If you’re interested feel free to send me an e-mail.
    I look forward to heaqring from you! Great blog by the way!

  7. If even worse happens to worst and your opponents do someway control to get a haand on thhe
    actually-elusive Janna or her properly-guarded allies, then she even has a shield that she can activate on herself, a good friend or even a tower.
    Items: start off with either an Amplifying Tome oor Doran’s Blade
    to activate oone of her passsive abilities. If the target
    has already been ‘chilled’ by other abilities, such ass Flash Frost, then they will take
    double the damage oof Frostbite.

  8. Hello there! This post couldn’t be written any better!
    Reading through this post reminds me of my old room mate! He always kept talking about
    this. I will forward this post to him. Pretty sure he will have a good read.
    Thanks for sharing!

  9. I believe what you posted made a ton of sense.

    However, what about this? what if you were to create a killer
    headline? I mean, I don’t want to tell you how to run your
    blog, however suppose you added a headline to possibly get a person’s attention? I mean How
    bad Twitter links & apps can trick you |
    Tweet Smarter is kinda vanilla. You ought to peek at Yahoo’s front page and note how they create article titles to get people interested.
    You might try adding a video or a related picture or two
    to get readers excited about everything’ve written. Just my opinion, it could bring your website a little livelier.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>