New Targets

Tweet Safely: Twitter Scams to Dodge

By Michelle V. Rafter

Monica Bhide didn’t realize what was happening when she innocently clicked on her friend’s Twitter page. The stream of messages coming from her friend’s account was so strange that Bhide, a cookbook author from Tysons Corner, Va., clicked over to the friend’s Twitter profile page to investigate.

That simple action was all it took for a worm that had infected Bhide’s friend’s Twitter account to attack hers as well. In a split second, the “Mikeyy” worm -- dreamed up over Easter weekend by a bored 17-year-old, according to news reports -- began forwarding the same stream of strange messages to all of Bhide’s Twitter followers.

All this happened only days before Bhide’s new cookbook was out in bookstores. And in preparation, she’d linked her Twitter updates to automatically appear on her Facebook page, which was quickly filling up with worm-infested junk. “It was a little unnerving,” she says.

Welcome to the wonderful world of Twitter, the microblogging platform that’s attracting new users by the millions -- Oprah and Barbara Walters are some of its fans. As more people discover Twitter, the viruses, phishing attacks, spam and other scams that have been the bane of larger social networks such as Facebook and MySpace have followed.

Thankfully, the Mikeyy virus wasn’t especially dangerous or damaging. But other Twitter hackers have attempted to con people out of their phone numbers, passwords and other personal information. As the network gets bigger, online security experts encourage Twitter users to be more cautious.

“Nothing catastrophic has gone through Twitter yet, because the community isn’t as big as Facebook or LinkedIn -- but it’s growing incredibly fast,” says Andy Hayter, an antimalware program manager at ICSA Labs, a Mechanicsburg, Pa., security industry testing and certification organization. “This was a wake-up call to Twitter users that they are vulnerable.”

So, if you’re going to use Twitter, be aware that many of the same types of scams you need to protect yourself against on email, the Internet and social networks are being perpetrated on Twitter, too.

Twitter Scams
The first step is to educate yourself. Here are a few Twitter scams to watch out for:

• Worms: According to Twitter and security industry officials, the Mikeyy worm used a common website programming language called JavaScript to infiltrate and take over Twitter accounts. Other worms use known vulnerabilities in JavaScript to spread malware on PCs.
• Phishing attacks: According to Twitter, recent phishing attacks looked like a direct message (DM) or an email notice of a DM instructing someone to click on what appears to be a link back to the service. But in reality, the link went to a phishing site that asked for personal information like an account password. Phishers used the divulged passwords to take over people’s accounts.
• Spam: Scams hawking get-rich-quick schemes, multi-level marketing opportunities and other questionable businesses that flood email inboxes and blogs are all over Twitter. One of the latest: a phony Twitter account that tricks people into a Google scam by promising them the chance to win a new car.

Defending Yourself
Cybercriminals rely on social engineering (which is a means of manipulating people into doing things they wouldn’t otherwise do) to con their victims. The best way to defend yourself on Twitter is to interact only with people you know and trust, says Hayter. Of course, this advice is not likely to appeal to people who are keen on building up a big network of Twitter followers. So in that case, be careful about which links you click on. If something looks odd, leave it alone.

What else can you do? Here are some recommendations:

• Reboot an infected account. If your account gets the Mikeyy worm or one like it, remove it by closing any Twitter utilities you have running, disabling JavaScript on your browser, deleting any messages you didn’t create and then picking a new password. Or if Twitter has locked your account, place a request for the company to reset one for you.
• Block JavaScript. All the major browsers allow you to block JavaScript. In most browsers, the controls are found in the Tools: Internet Options section. A Firefox add-on called NoScript gives you the ability to run JavaScript only on websites you approve.
• Keep operating systems patched and use antivirus and antimalware programs. Download operating system patches or service packs on a regular basis to make sure you’re protected from the latest worms and fishing attacks, says Hayter. The same goes for antivirus and antimalware programs: Those defenses won’t work against threats like the Mikeyy worm if you don’t keep them updated, he says.
• Report problems. Use an account that Twitter set up called @spam to report spam and other suspicious activity on the service.
• Stay informed of new attacks. Twitter runs a Status page to inform users of system problems like worms or phishing attacks. Consult it if you run across something that looks suspicious.

After Bhide’s Twitter account was infected, she immediately posted a note about the problem on Facebook, where another friend saw it and pointed her to step-by-step instructions to get rid of the bug. Bhide says the experience won’t keep her off Twitter, but it has made her more cautious. “Worms and viruses are part of our world now, so I think I should do a little more to protect myself,” she says.