Last week Twitter announced that they had installed a service that will inspect some of the URLs that are submitted through its systems.  The issue they’re trying to solve is primarily in shortened URLs which hide the destination address.  It’s been used by bad guys to hide malicious destinations.  Dave mentioned this technique a couple weeks ago and gave some great tips on how to avoid the being a victim.  Maybe the Twitter security crew was listening?

In the announcement, Twitter mentions that they’ll focus on direct messages and email notifications about direct messages.  I applaud the effort and hope it’s effective.  I wanted to point this out and give Twitter props for working on the problem.  We’ll have to see how effective it is but it’s great to see an attempt toward progress.

Hopefully we’ll see more news like this from other social media providers.

Looks as though a third party app was hit for a phishing scam that has allowed the perps to appear to take over hundreds of Twitter accounts. According to Mashable, since all of the spammed tweets mention coming from the API, the accounts themselves are probably still OK. It’s the app they’ve allowed access to that’s been compromised.

TIP: Always think twice before giving an app access to your account. Do your friends use it? Have they had problems? When in doubt, Google the app. See if it’s legitimate before you click allow.

Spammers harvesting emails from Twitter in real time!

As if you didn’t have enough things to worry your pretty heads about, spammers have figured out a simple email harvesting trick using Twitter. This is too easy. Straightforward queries for tweets containing, “gmail.com”, “email me at”, “contact me at” etc. reveal thousands of tweets that can be quickly scraped and harvested with a script.

TIP: Never reveal your email openly on Twitter. DM only!

Attackers, like marketers, are targeting brands better

I work in an ad agency, so I can tell you firsthand, marketers are getting damn good at targeting niche audiences and individuals. Unfortunately, so are online criminals. According to Cyveillance’s 2009 Cyber Intelligence report [PDF]:

“Cyveillance determined that during the second half of 2009, 399 brands were first-time targets of phishing attacks, nearly double the amount of first-time targets than in the first half of the year. Averaging more than 36,000 confirmed, unique attacks per month in the same period of 2009, phishing attacks continue to succeed, the report says.”

Points for style

While the Koobface gang (responsible for the Koobface botnet and several online pranks) may be somewhat nasty, you have to give them points for style and humor.

Here’s another good take on the Twitter “Is this you lol” Phishing scam. I really like that author, Graham Cluley reminds readers to use better passwords. People. This is basic and yet 33% of you use the same password everywhere. This is ludicrous.

Would you pin your child’s social security number to their jacket and send them to school? Of course not! But you’ll use the same password because you can’t be bothered to spend 30 seconds to think of a new one. I mean, that’s 30 seconds less you would get to play Farmville, god forbid.

But I digress… Let’s be constructive here. Passwords. There is nothing more critical to the security of your basic identity than having a set of good passwords to use. I know what’s running through your head right now. “I know, I know should do that, but I just can’t remember more than one and I know enough not to tape it under my keyboard.” Congratulations. You’re half way to recovery. Now you just need some tools.

Unless you have a truly random brain, you need to use a password generator. There are several free ones. Go use these ones now.

1. Strong Password Generator is one of my favorites. You can choose the number of password characters (please don’t choose fewer than 12), whether or not to include symbols (yes, please!) and it even gives mnemonic hints to help you recall the password, despite it being quite random.
2. From Bytes Interactive comes two password generators. One creates passwords similar to Strong Password Generator with several options, the other generator creates 1337 passwords (LEET) which are based on a phrase you can recall. They also have a secure server.
3. RandPass has been online forever and generates very good passwords. What I like about them is the ability to generate large batches of passwords at once.

You also need some place to store passwords, but no, written down on paper is for chumps who deserve to be robbed blind. Do it right. Use a password database. Here are some of my favorites:

1. 1Password. This costs $40, but isn’t your identity worth it? 1Password can also generate them for you and has a 100% moneyback guarantee. It also comes as an iPhone app. Mac only
2. OnePassword is free. It integrates into Internet Explorer as a toolbar and has many of the features of 1Password.
3. How about your blog? A great plugin by Marcel Bokhorst exists for WordPress, called One-Time Password. As the name implies, it generates password logins for WordPress that can only be used one time, preventing password theft. Outstanding plugin.

Hope these tips help! Do you know of any good password generators or password databases I didn’t mention? Let us know in the comments.

From Mashable today:

“A Twitter phishing attack is spreading rapidly today, attempting to obtain Twitter logins via Direct Messages. If you receive a message reading “lol, is this you”, and linking to a site called “bzpharma”, do not click the link.”

Phishing scams are on the rise and Twitter and Facebook will likely bear the brunt of them. Please, always check the links first. There are a few ways to do this:

1. Always let your mouse hover over the link before clicking it. This way, you can see where the link is going before you click on it. If it’s a pharmaceutical site, and you’re not in the healthcare profession, it’s probably a scam.
2. On the Firefox and Chrome browsers, you can install a handy plugin called, Bit.ly Preview. This plugin shows the full URL of shortened links on Twitter. While not all links are shortened using Bit.ly, most are, and Bit.ly is the default URL shortener of Twitter.

Have you encountered any phishing scams on Twitter or Facebook? How did you resolve them?