Twitter Phishing Scam: Blame Browsers and Users
With banks, newspapers, and politicians in Britain overrun by a blatant Twitter phishing scam, it's time to point some fingers. Most disappointing are browsers and users, both of which failed to recognize an obvious ruse.
Specifically, I'm calling out Firefox and old browsers. After receiving a malicious "This you????" link from a follower, I tried it with all the browsers at my disposal, including Firefox 3, Google Chrome, Internet Explorer 8 and mobile Safari for the iPhone. Firefox was the only one that didn't throw up a warning page when I tried to visit the link.
In fairness, Firefox is usually better than this. A report by NSS Labs last year found that Firefox 3 and Internet Explorer 8 blocked 80 percent and 83 percent of phishing sites, respectively -- far superior to the competition. But what good are those numbers if you don't block the big one? It's like batting with the highest average during the regular season and choking in the playoffs.
I imagine that older versions of browsers fell prey to the attacks as well, but I couldn't test those out. After all, Internet Explorer 8 was the first version to include a phishing filter, so older versions might not have warned users.
It's also hard to believe that so many Twitter users fell for the phishing scam. This one had all the telltale signs: A shortened URL, an actual URL hosted on a different domain (kevanshome.org) and a login page that doesn't quite follow Twitter's format, but has all the same graphics. And if you're already signed in to Twitter, there's no reason you'd need to sign in again.
As with any phishing attack on a social network, Twitter shoulders some of the blame for merely letting it go on for too long, but I understand that Web services get attacked often, and the major ones aren't immune. In the end it comes down to having a browser that's got your back and some computer smarts when all else fails. Apparently some high-profile people across the pond had neither.