Spammers have ramped up their attacks on Twitter. Photo: Erin Jonasson
Have weight loss spammers hacked your Twitter account? How did they get in?
We seem to be in the middle of another wave of Twitter hacking, with spammers worming their way into your account so they can bombard your followers with tweets about miracle weight loss tips. The problem has been around for years, but are spammers finding new ways to get past our defences?
A friend of mine, let's call her Jane, was hacked over the Easter long weekend. When her Twitter feed popped up with "I lost so much weight with this secret trick!" and a link, I knew all was not well. I sent her a text message straight away and she immediately changed her password. Thankfully she was only vulnerable for a few hours in the middle of the night.
Normally I wouldn't think much of something like this, but Jane works with IT and is one of my more paranoid and tech-savvy friends. She's not the kind of person to fall for the basic tricks used by spammers to break into accounts, so I was surprised that she got hacked.
The most common way for spammers to break into any account is with a phishing scam designed to trick you into typing your password into a fake website. A subject line such as "You won't believe this photo I just saw of you" is enough to trick many people, especially if the message seems to come from a friend (when in fact the spammers already have control of your friend's account).
Spammers like to use topical issues, such as the disappearance of MH370, to craft messages which are too tempting to resist. The don't just come via email, these dodgy messages can come as a message via Facebook, Skype and Twitter – even Twitter DMs if your friends' accounts have been hacked.
Jane is, in her own words, "the queen of paranoia" when it comes to phishing attacks. I'd certainly trust her to spot something like this, especially as this attack wasn't a "spear phishing" attack targeted specifically at her. When hackers specifically want to break into your account, they're known to design very convincing tailor-made phishing emails which are disguised as an email you're expecting to receive.
Weight loss spammers aren't spear phishing, they use more generic messages in a shotgun approach because they don't really care who they catch. This makes these phishing attempts easier to spot, if you're paranoid about these things, and your spam filter should pluck out many of them.
The next likely culprit for Jane's hacking is a weak password, and here she might have fallen a bit short of the mark. She was using a complicated password with upper and lower-case characters and other symbols, but it was only eight characters long, which I'd say is a little short for a secure password these days.
It's possible, although unlikely, that hackers used a brute force attack to guess Jane's password. I'd say a secure password should be at least 12 characters long, but some people prefer to go longer. Heartbleed offers a good chance to rethink your password strategy.
Another attack vector for spammers is third-party services which are authorised to access your social media accounts. It's worth checking every now and then to see how many apps and services you've authorised to access your Twitter, Facebook and Gmail accounts. Culling this list back to the essentials reduces the chances of spammers finding a backdoor into your accounts.
Jane is rather conservative when it comes to letting third-party apps and services access her Twitter account, restricting the list to the Twitter app on her phone and her Blogger account. She uses two-factor authentication on the Google account linked to her Blogger account but, after Heartbleed, it's hard to say whether that's enough to keep someone out.
Twitter's own two-factor authentication system offers an extra level of protection against hackers, although even with last year's overhaul it still doesn't work with third-party Twitter clients – an instant deal-breaker for many people.
The simplest answer is usually the right one – perhaps Jane did make a security blunder – but the scale of the latest Twitter spam attack suggests there's perhaps more at play than merely lax security.
Have you been hacked recently? How do you think they got in?
Read more posts from Adam Turner's Gadgets on the Go blog