"@Twitterguy, what do you think about what Obama said on #cybersecurity? http://shar.es/HNGAt "
Social engineers are taking the time to observe what people tweet about and using that information to launch attacks that seem more believable. One way this happening is in the form of popular hashtags, according to security firm Sophos. In fact, earlier this month, the U.K. debut of the new season of 'Glee' prompted social engineers to hijack the hashtag #gleeonsky for several hours. British Sky Broadcasting paid to use the hashtag to promote the new season, but spammers got ahold of it quickly and began embedding malicious links into tweets with the popular term.
[Also read Mind games: How social engineers win your confidence]
"Of course, the spammers can choose to redirect you to any webpage they like once you have clicked on the link," said Graham Cluley, a senior technology consultant at Sophos in their Naked Security blog. "It could be a phishing site designed to steal your Twitter credentials, it could be a fake pharmacy, it could be a porn site or it could be a website harboring malware."
Twitter mentions are another way to get someone's attention. If the social engineer knows enough about what you're interested in, all they have to do is tweet your handle and add some information in that makes the tweet seem legitimate. Say you're a political wonk who is tweeting quite a bit about the GOP primary race lately. A tweet that mentions you, and points you to a link asking you what you think about Mitt Romney's latest debate statements can appear perfectly legitimate.
"I would expect we will see even more attacks like this in social media because of the way people click through these links," said Hadnagy.
"Get more Twitter followers!"
Sophos has also warned of services claiming to get Twitter users more followers. According to Cluley, you'll see tweets all over Twitter that says something like : GET MORE FOLLOWERS MY BEST FRIENDS? I WILL FOLLOW YOU BACK IF YOU FOLLOW ME - [LINK]"
Clicking on the link takes the user to a web service that promises to get them many more new followers.
Cluley himself created a test account to try one out and see what would happen.
"The pages ask you to enter your Twitter username and password," reported Cluley in a blog post on the experiment. "That should instantly have you running for the hills - why should a third-party webpage require your Twitter credentials? What are the owners of these webpages planning to do with your username and password? Can they be trusted?"
Cluley also notes the service, in the bottom right hand corner, admits that they are not endorsed or affiliated with Twitter, and in order to use the service, you are required to grant an application access to your account. At that point, all assurances of security and ethical use are off, he said. Twitter itself even warns about these services on their help center information page.
"When you give out your username and password to another site or application, you are giving control of your account to someone else," the Twitter rules explain. "They may then post duplicated, spam, or malicious updates and links, send unwanted direct messages, aggressively follow, or violate other Twitter rules with your account. Some third-party applications have been implicated in spam behavior, fraud, the selling of usernames and passwords, and phishing. Please do not give your username and password out to any third-party application that you have not thoroughly researched."
This story, "5 more dirty tricks: Social engineers' latest pick-up lines" was originally published by CSO.