Twitter Phishing Scams and Password Strength

Spotted this in my Inbox yesterday. I was heading out the door and checking mail on my iPhone, and had to do a quick double take.

This was a phishing email – a message from someone who was pretending to be Twitter, just so they could try to get my login information there.

The email itself looks a lot like an official message from Twitter. The only thing that tipped me off was the email account this was sent to. I have a specific email I use when I sign up for stuff (online purchases, logins to sites), and I keep it separate from my personal account.

I have a catch-all set up for my email, so that I’ll typically receive any message that comes in to this domain. But if the username on the email doesn’t match anything I currently use, it’s pretty much a guarantee that it’s junk.

Some interesting questions: How did they know I have a Twitter account? They probably don’t. Like spam, this email was likely part of a large blanket of emails that went to a ton of people. Phishing emails rely on tonnage, and even if a handful of people fall for it… it counts as a win, because the cost of sending out these kinds of attempts costs next to nothing.

Also: Why would they want to get my Twitter information? Here are a few reasons, from a post entitled How I’d Hack Your Weak Password:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
  • So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.

It’s an interesting read. I like how password length is a huge factor (as is using all characters, as opposed to just lowercase).

Anyone out there using 1Password? Or something like Yojimbo?

The password of 1,112 MeFiers is “123456”
Microsoft Password Strength Checker

This Post Has 0 Comments

Leave A Reply