CNN has a story today about recent phishing attacks aimed at Twitter. One former Fauxlowers member whose Twitter account appears to have been compromised (Twitter shut her down temporarily) tweeted claiming Fauxlowers was to blame. I’m not going to complain, criticize or name names — when you get hacked, it’s not always clear who did it. We’ve communicated and I think she’s at least giving me the advantage of the doubt.
So, what’s phishing, how do you avoid it, and how can you tell if you’ve been phished?
On January 3, Biz Stone posted about that on the Twitter blog. He quotes a longer definition of phishing from Wikipedia, but I’ll just say it’s an attempt to trick you into giving your password to a third party who’s posing as (in this case) Twitter.
How do you avoid it? The #1 way (there are others) is by checking the address bar of your web browser before entering your password. If it doesn’t start off with “http://twitter.com/”, don’t enter your password. The example on the Twitter blog showed the site “http://twitter.access-logins.com/” — that’s one “.access-logins” too many before the “.com” — it’s not the Twitter website.
Finally, how can you tell if you’ve been phished? Well, you can’t always tell whether you’ve been phished or whether someone got access to your account some other way, but it doesn’t necessarily make any difference. In any case, if changes are made to your account settings that you didn’t make, or if tweets or DMs are sent from your account that you didn’t send, your account may have been compromised.
“May have been”? Yeah, there’s another possibility. You may have authorized a third party app to access your account. When signing up for a third party app, be sure to check what it’s going to do with your account. Some apps send tweets and DMs from your account, and as long as they’re clear about exactly what they’re going to do in advance, they may be legitimate.
Here’s what to look at: if tweets or DMs are showing up that you didn’t send, go to your Twitter profile or DM page and look at the messages in question. Underneath the message, you’ll see something like “2 hours ago from Seesmic”, “45 minutes ago from web”, etc. If it says “from web”, that means that someone or some service that knows your password logged into Twitter as you and posted the tweet or DM from the Twitter website. If you haven’t intentionally given anyone your password, you’ve been hacked and need to change your password.
If it says anything but “from web”, the message was posted by a service that has been authorized to access your account, but doesn’t have your password (or at least didn’t use it to post the message). This is called an “API” app. The nice thing about these apps are that you can tell immediately which app posted what. If you don’t like it, you can revoke its access and the messages will stop. (To do that, log into Twitter, click “Settings”, and then in the settings submenu, click “Connections”. You’ll see a list of apps that have access to your account, with a “revoke access” link for each.)
If you remember authorizing the app, you may be done. If not, the next question is how the app got access to your account. Either you authorized it and forgot, or somebody (possible a phisher) has your password, and they logged in as you and authorized the app. In that case, you’ll want to change your password and then revoke access to any apps you don’t want authorized.
My point is that if an app is posting tweets and/or DMs from your account, that app may not be the one who compromised your account. It could be that someone else stole your password, authorized the app, and is abusing it to send messages to your followers.
One final point while I’m on the subject: I’ve seen some spammy tweets that seem to have been designed to look like they were sent by this site. Some are copies of a member’s stats tweet (the one that goes out once the first time we calculate your fauxlower ratio). One particular person has tweeted that tweet repeatedly over the past few days.
I don’t know whether they’re trying to make this site look bad, trying to drive people to their fauxlowers.com profile, or whether someone hacked their account and is tweeting the tweets. What I do know is that under each tweet, it says “from web”. Fauxlowers is an API app that never asks for your password. These tweets were not sent by this site.