For more about tricks spammers and hackers use, read “How spammers attack Twitter.”
1. You can do nothing wrong, and still get hacked or hijacked!
Here’s why, and what you can do about it:
- You could think you are logging into Twitter.com, but not notice it is a lookalike phishing site.
How to prevent this: Don’t login to Twitter.com unless you typed it in, or you read “twitter.com” in the URL bar of your browser.
- If your user information is stolen somewhere else, you could get hacked on Twitter.
How to prevent this: Use unique passwords on each site you login to.
- Twitter can block a link from the bad guys, but in the next tweet you see, the bad guys can have replaced it with a working link.
How to prevent this: Be careful what you click, and warn others if you learn of problems.
- An infected computer can steal your login info.
How to prevent this: Keep your anti-virus up-to-date, and don’t login on computers that you don’t manage yourself.
- Using Twitter over a wireless connection (or on a compromised network) can expose your user information.
How to prevent this: Turn on “HTTPS Only…Always use HTTPS” at http://twitter.com/settings/account
2. How it starts
Imagine you see a link in a tweet that says “OMG! Read the latest blog post from Twitter about this Twitter app!” and click it. Let’s look at six common things that can happen next:
- It can take you to the latest blog post from Twitter.
- It can take you to something that isn’t the latest blog post from Twitter, but tries to pretend it is. In other words, a malware or spam page.
- It can take you to an advertising page selling something, which can be either spam or malware.
- It can take you what looks like the authorization page for a Twitter app. This can be a real app that has NO bad intentions; a real app that DOES have bad intentions; a fake app page (usually with a spot to type in your username and password).
- It can take you to some version of a login page, for example, something that looks like Twitter.com after you have logged out. This is the worst case. It’s trying to get you to believe you have somehow been logged out of Twitter.com due to an error, hoping you will click to login so they can steal your login info and hack your account. If successful, not only can your Twitter account be hacked, they may try your login info on other popular websites like Facebook, Yahoo, LinkedIn etc and see if they can hack into those accounts as well.
- It can take you nowhere, possible because it used to lead to an app Twitter has suspended, or a link that has been blocked.
3. Warn others even after Twitter catches bad links
Option 6 means Twitter is protecting you. So you might figure that other people who click the Tweet don’t need to be warned, since Twitter has blocked the bad stuff. But the bad guys, as soon as they detect that a link or site has been blocked, keep tweeting the same or similar things with new links and websites that do the same bad things. And until Twitter catches it again, more people are spammed or infected with malware.
This is one reason spammers and accounts that send malware links try to create a lot of Twitter accounts, so that they can keep tweeting links to bad stuff. They will vary the text to avoid detection, and change the links to replace links that have been caught with new ones.
Also, realize that many advertising pages are not really designed to sell you something, they are designed to infect your computer or steal your personal information. So even if you’re positive something seems like “harmless” spam, it can be very dangerous.
So if you ever see multiple spam-like messages that you fear others may click on, or click yourself and find it blocked, it’s worth warning others. (Of course, some messages may seem very obvious that you should NOT click on them, and I understand that you might not want to warn people about them.)
4. Protect yourself and others
- Never login to Twitter.com from a link. You should type “Twitter.com” into your browser by hand if you think you need to login, or at the very least, read the URL at the top of your browser very carefully to ensure you really ARE at Twitter.com.
- If you think you have been hacked http://bit.ly/BlockBadApps and read http://bit.ly/IfTwitterHacked (tweet this advice).
- If someone you trust even a little seems to be sending bad links, DM them and @ them to let them know they may have been hacked.
5. What Twitter does
Besides suspending bad apps (eventually) and blocking bad links (eventually) Twitter may reset passwords on accounts that have been hacked, especially if thousands are hacked at the same time. The @spam @safety @support accounts will tweet or retweet warnings or explanations of problems. And Status.Twitter.com will often share information if a hack becomes very, very widespread. Also, Twitter removes scams and spams hourly and daily.
6. Ways your Twitter account can get hijacked
- Your computer can be infected, and whoever is controlling the malware already on your computer can decide to use it to compromise your Twitter account (if the malware is designed to be able to do that). Just being infected doesn’t mean information can be stolen from your computer. Not all malware works in that way
- You can give your Twitter account to some site that asks for your Twitter login (even if you did this long ago), either thinking it is okay, or because you were fooled into thinking you were logged out of Twitter.com
- You are using a wireless connection, and have not set your Twitter account to https, and your login info is stolen through the air.
- You are using a wireless connection, and HAVE set your Twitter account to https, but someone has been “listening” in for awhile and has cracked your information or figured out how to initiate a “man in the middle” attack that fools your computer into thinking it is connecting to Twitter.com directly when it isn’t. These scenarios are exceedingly unlikely, but still possible.
- You click something that pops up while browsing the web asking you to authorize something that turns out to be malware.
- You use the same password on more than one site, and someone stole your password from one site and is now using it to hack into your Twitter account.
Realize that you can be hacked or infected even if you have done nothing wrong. When a company gets hacked, hackers often try the usernames and passwords they have stolen from the company on other sites. So if you used a company years ago for your email address and stopped using them years ago but didn’t delete your account, if they are hacked, and you use that password on other sites, you could be hacked on those other sites. Yes, they would have to figure out your username, but if you also use the same username or email address on multiple sites, hackers with stolen passwords have all they need.
7. How to make unique passwords easy:
Best is to add a letter to the end of each password so they’re different on each site. For example, if your password is 1W#m3H$ change it by adding a letter that corresponds to the site you’re on:
- 1W#m3H$T for Twitter
- 1W#m3H$F for Facebook
- 1W#m3H$L for LinkedIn
Also, although you CAN visit a site that infects your computer just by visiting, or that steals your login info, this is rare. It mostly only happens to people who are not using anti-virus programs or whose anti-virus programs are somehow not working properly. For example, adding an anti-virus program to an already infected computer will not necessarily get rid of all malware.
More commonly, you would have to authorize something that the website pops up before you’re in trouble. Also, stealing your Twitter login info directly just by visiting a site in this way is no longer possible, (though it used to be).