Cybercrooks Descend on Twitter
Cybercriminals are rapidly using Twitter - the popular Web-messaging service - to direct users to Web sites that sell porn and fake drugs and trigger promotions for fake anti-virus subscriptions.
"We're starting to see a groundswell of attacks," says Dan Hubbard, chief technology officer at Websense, an Internet security firm. "Spam is usually the first bad thing we see before it escalates to things more nefarious."
An escalation seems inevitable. Anyone can sign up anonymously for a Twitter account and begin pushing unfiltered messages across the Internet.
Another problem: Twitter's intensive use of shortened Web links, or URLs, which let you point to Web pages in short messages. That has made it easy for cybercrooks to spread infectious URLs that can give an attacker control of your PC, says Stefan Tanase, researcher at Kaspersky Lab, which makes anti-virus software.
Bad URLs have become so prevalent on Twitter in the past several weeks that active Twitterers are seeing several a day.
"The more active a Twitter user is, the more attacks he or she is seeing," says Tanase.
Attackers also are exploiting security weaknesses in popular Twitter add-on services. For example, last week someone cracked photo-sharing service TwitPic and stole Britney Spears' Twitter log-on. The person sent messages, called tweets, to the pop singer's followers saying she had died.
Cybercriminals could easily use similar security flaws in Twitter add-ons to take control of users' PCs, steal their data and hijack their online bank accounts.
Twitter co-founder Biz Stone says Twitter takes malicious attacks seriously.
"We understand that this job is never done, so we are actively recruiting staff and developing tools to combat spam and enhance security," says Stone.
Twitter has issued a list of suggested security practices that add-on developers should follow.
But the advice is "basic information" and lacks any enforcement mechanism, says PandaLabs researcher Sean-Paul Correll.
"Sadly, security is rarely viewed as a top priority" by add-on developers, he says.
In an attempt to get Twitter to move more quickly to improve security, Tel Aviv-based researcher Aviv Raff last week began listing on a Web page security holes he has found on popular add-on services. He plans to release one a day in July.
"Bad guys are already abusing Twitter services," says Raff. "Twitter should have been thinking more about security."
Twitterers should make sure they use anti-virus protection, install all Windows, Apple, Adobe and Java updates and be wary of all shortened URLs, security experts say.