Twitter CFO's Account Spews 'Can't Stop Laughing' Spam Links
How many times have we told you not to click on that mysterious link? Perhaps Twitter CFO Anthony Noto wasn't listening. On Tuesday, Noto's Twitter account began spewing out hundreds of garbage tweets like "OMG when did you do this?" and "I can't stop laughing!" with links attached.
It's not clear how Noto's account was compromised. But the links to spam websites, it turns out, were likely phishing attempts -- which one of our editors nearly succumbed to, though he was saved by the company firewall.
Don't Follow That Link!
Urging users to click on a spam link is an insanely easy way to compromise an account. Unlike brute-hacking a password, which can be difficult and time-consuming (as well as next to impossible if the user has two-factor authentication turned on), a phishing attack can work in several ways: For example, it can send a user to a website infected with malware, or it can trick a user into entering his or her login information on a fake login page, allowing hackers to collect usernames and passwords.
The latter is what happened in to The Associated Press in 2013, in what appeared to be a targeted attack by a group called the "Syrian Electronic Army." The SEA sent emails to select AP staffers, collected their login information, then found a way into the organization's Twitter account.
To make matters worse, an attacker may assume that your Twitter credentials are more or less the same as those for your other accounts, like your email. This is a popular way to gain access to sensitive business information -- and it works only because the assumption is often correct. Many people use the same login information for everything.
'That's Amazing! I Have the Same Combination on My Luggage!'
So here's what you do to avoid having your Twitter account compromised, your other accounts compromised, and all your nude iCloud photos posted on Perez Hilton:
- Use two-factor authentication. Even if an attacker has your login name and password, he or she can't log in without your phone or the device you use to generate the authentication code.
- Don't use the same password for every website and email address. Especially don't use the same passwords for your primary and "backup" email addresses.
- Don't click on strange links from people you don't know -- or even from people you do know. Whenever I get a strange link from someone I know, I send him a separate email asking if he meant to send it. The answer is usually, "No I didn't." Because he got h4xx0red.
- Twitter CFO's account compromised (USA Today)
- Phishing: The Easy Way to Compromise Twitter Accounts (Symantec Security Response Blog)
- FTC's 'Internet of Things' Report States the Obvious (FindLaw's Technologist)
- WordPress 3.x Security Warning: Malicious Code Hidden in Comments (FindLaw's Technologist)
You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help
Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.