Twitter Phishing Scams and Password Strength
Spotted this in my Inbox yesterday. I was heading out the door and checking mail on my iPhone, and had to do a quick double take.
The email itself looks a lot like an official message from Twitter. The only thing that tipped me off was the email account this was sent to. I have a specific email I use when I sign up for stuff (online purchases, logins to sites), and I keep it separate from my personal account.
I have a catch-all set up for my email, so that I’ll typically receive any message that comes in to this domain. But if the username on the email doesn’t match anything I currently use, it’s pretty much a guarantee that it’s junk.
Some interesting questions: How did they know I have a Twitter account? They probably don’t. Like spam, this email was likely part of a large blanket of emails that went to a ton of people. Phishing emails rely on tonnage, and even if a handful of people fall for it… it counts as a win, because the cost of sending out these kinds of attempts costs next to nothing.
Also: Why would they want to get my Twitter information? Here are a few reasons, from a post entitled How I’d Hack Your Weak Password:
- You probably use the same password for lots of stuff right?
- Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
- However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
- So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
It’s an interesting read. I like how password length is a huge factor (as is using all characters, as opposed to just lowercase).