innismir.net

Link many other Twitter users this weekend, I got the following DM from someone I followed:

Hey, i found a website with your pic on it… LOL check it out here <link>

As soon as it arrived, my spidey sense went off:

• Unsolicted? Check.
• Vague message? Yup.
• Wants me to click on a link? Indeed.

This  instantaneously causes me to think “Bad link! Do not click!” and I quickly tweeted my concerns. Thankfully many people did the same which probably saved more then a few people from clicking the link. It did garner a fair bit of attention since this was the first-ever phish that came via DMs on Twitter and some people are seeing strange activity on certain accounts, but for the most part it has faded back into the noise of a usual Monday morning on Twitter.

This was bad, and I feel it was the opening salvo in a major change in the way spammers operate on Twitter, but I think the worse may be yet to come. For those of you not on Twitter, the way spammers have been operating is by setting up an account, following a lot of people, then waiting for the unsuspecting users to follow back. Once they feel that enough people have started following them, they start spamming their links. Now, with the phishing attempts, they can cut out the middle man and start spamming your follower lists with their links. Ruh Roh Shaggy…

Now, lets ratchet this up to the next level. Imagine if the phishing page had some kind of exploit embedded into it? Let’s say @britneyspears posts “Hey guys, check out my new track at (link)!” Thousands of devoted Britney Spears fans clamor to hear their idol’s screeches talents and are directed to a page telling them to log in with their twitter ID. That page exploits their browser and assigns them to a botnet. The few who think Twitter is trustworthy fork over their credentials, at which point a PHP script logs into their Twitter account and DMs all their friends the same link with a random headline.

Lather.
Rinse.
Repeat.

Congratulations! We now have the first Twitter worm! With Twitters somewhat notorious instability under high load, at which point would we see a Twitter DoS?

This Twitter phish was bad. However, I think the community dodged a bullet and we may not be so lucky next time. Many people think Twitter is a safe sandbox on the Internet and not the same as their e-mail or IM. The million dollar question is how can we teach people that Twitter can be a nasty place before “the big one” hits?