Twitter, like any other messaging or social media service, can be attractive to scammers. With millions of active users it provides opportunities to reach out and target victims.
Since it was created in 2006, Twitter has evolved significantly to improve its safety and privacy for users. Nevertheless, there are still many different ways criminals can operate on Twitter. They can target your Twitter account specifically, other online accounts or information, your finances, or the device you use to access the internet.
Just like email and SMS, Twitter-based phishing messages attempt to fool you into taking action.
If you use Twitter you have probably seen Tweets (Twitter messages) encouraging you to click a link or respond to a message—perhaps to win a prize, perhaps to confirm your account details or perhaps to read a fantastic news article—there is an endless range of possibilities.
A common example of Twitter-based phishing incorporates a link in a Tweet which, when clicked, takes you to what appears to be Twitter’s official sign-in page, but is instead a fake page created by the scammers to collect your account information.
If a scammer gains access to your Twitter account through such means, it can be used to send further spam messages to your contacts, circumventing many of Twitter’s protection mechanisms.
Phishing messages will often mimic official organisations and target your accounts for those services.
Twitter accounts that have been compromised, through activity such as phishing, can also be used to distribute malware.
Links in any message or Tweet should be treated with caution. You should evaluate each message and link before you click, however, the nature of Tweets can make this challenging.
Link shortening can make it difficult to know where links will take you in Twitter. A Tweet must be 140 characters or less which is a problem for longer URLs. Twitter solves this by using a technology known as link shortening which automatically condenses very long URLs. Shortened links in Twitter will (in some views) begin with http://t.co, obscuring the actual destination URL.
Twitter does automatically inspect t.co links to see if they are malicious, but this may not capture all malicious links, and it does not inspect links shorted with any of the other link shortening services available online.
Third party apps
There are many apps available for download that interact with Twitter. You need to authorise each app for it to be able to access your account and interact with your Twitter account and activity. Most are useful, legitimate tools, however, there are also some apps which may ask for excessive account permissions or attempt to post advertising to your Twitter timeline. This is a breach of The Twitter Rules. For example, some ‘Free Follower’ apps claim they can gain you more followers, but these apps may be harmful.
While using Twitter remember:
Be careful clicking shortened links, particularly those that use shortening services outside of Twitter’s built-in t.co service. Understand that the destination link may not be what you expected.
Evaluate the message, its context and its sender as part of your decision to click. If a message is ‘out of character’ for a sender, you should treat it with suspicion.
There are plug-ins available for most internet browsers that can display the originalURL before you click.
Be cautious about messages from anyone you do not know or trust.
Never give out your account username or password. Reputable organisations including Twitter, will not request your personal information via a Tweet.
If you click a link, always check the website you are on before you interact with it, provide any information or download software.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.