Hackers hijack Obama's, Britney's Twitter accounts
Send spurious tweets after gaining control through Twitter's support tools
Computerworld - Hackers hijacked the Twitter accounts of more than 30 celebrities and organizations, including President-elect Barack Obama, Britney Spears and Fox News, early on Monday, the company confirmed today.
"This morning we discovered 33 Twitter accounts had been 'hacked,' including prominent Twitter-ers like Rick Sanchez and Barack Obama," Twitter co-founder Biz Stone said in post to the company blog. "We immediately locked down the accounts and investigated the issue. Rick, Barack and others are now back in control of their accounts."
Earlier in the day, the hacked accounts had been used to send malicious messages, many of them offensive. CNN correspondent Rick Sanchez's account, for example, tweeted a message claiming that "i am high on crack right now might not be coming to work today," while Fox News' Twitter update reported "Breaking: Bill O Riley [sic] is gay," referring to the network's conservative talk show host.
According to Twitter, the accounts were hijacked using the company's own internal support tools. "These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the e-mail address associated with their Twitter account when they can't remember or get stuck," Stone admitted. "We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure."
Today's admission was only the latest security problem for Twitter. On Saturday, identity thieves launched a phishing campaign on the microblogging service that tried to dupe users into divulging their account usernames and passwords.
On Sunday, criminals changed their tactics to use messages about Apple's iPhone as scam bait, a security expert said Monday. "A lot of users have fallen for the first scam," said Graham Cluley, a senior technology consultant at Sophos PLC, describing the Saturday tweets. "Now [the attackers] are changing their modus operandi."
Rather than tricking people into visiting a page spoofing Twitter's sign-on screen, the second wave of tweets was essentially spam, said Cluley. The iPhone-related tweets were messages such as "hey. i won an iphone! come see how here" or "Wanna win the new iPhone? It's so easy and cool, I love this thing!" along with links to sites that ask for, among other things, the user's cell phone number.
"They may be making money as part of an affiliate scheme," said Cluley, of the second-stage Twitter spam. The criminals may be reaping revenue from ads on the sites the tweets steer users to, or by convincing people to sign up for expensive text message plans.
Twitter, however, said that the hacks of prominent users were unconnected to the first phishing campaign or the follow-up spam.
"This is actually much more serious than these people and organizations falling for a simple phishing attack," said Cluley, who earlier Monday had said there might be a link between the two. "It appears that Twitter's systems were potentially exposing everybody's account to the danger of being taken over by hackers."
Nonetheless, both Cluley and Marian Merritt, an Internet safety advocate for rival security company Symantec Corp., applauded Twitter's fast response. "Twitter has been very upfront and ahead of the game on this," said Merritt.
Obama and tech
- Obama's national health records system will be costly, daunting
- Pat Thibodeau: Obama's CTO choice may usher in mashup era
- Microsoft, CNN team up to make historians out of inaugural attendees
- Obama plans to keep his BlackBerry
- Preston Gralla: Microsoft, Google execs donate $450,000 to Obama inauguration
- Silverlight tapped to stream Obama's inauguration
- FAQ: Why Obama may give up his BlackBerry
- 5 must-do cybersecurity steps for Obama
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts