Twitter is finally being proactive about the large number of phishing scams that have plagued the micro-blogging service in the past year. On Wednesday, Twitter introduced its own anti-phishing service designed to protect its users from these types of attacks. The new security measures will focus on Twitter direct messages (DMs) — private tweets addressed to a specific user — and corresponding e-mail notifications. Twitter believes DMs are the primary source of Twitter-based phishing attacks, and has not yet announced any plans to extend the new service to regular Twitter messages.
DMs will now be routed through Twitter’s anti-phishing service to “detect, intercept, and prevent the spread of bad links,” Del Harvey, director of Twitter’s trust and safety team, wrote in a recent blog post. After Twitter has approved a link, it will be delivered to users via a new ‘twit.tl’ URL instead of bit.ly, tinyURL or other link-shortening services. Twitter also claims that if a bad link gets through to a user via e-mail, the company would still “be able to keep that user safe.”
Phishing scams are often used to harvest log-in credentials for social networks and financial sites by encouraging users to log in to phony versions of legitimate Websites. These types of scams often entice users to click on a bogus link to check out a new video or log in to a particular service to verify some data. The fake Website can then either inject some form of malware onto your computer or steal your log-in credentials to the legitimate site. Typically, phishing messages use URL shortening services to mask the phony site’s actual Web address.
Malicious activity like this has become a regular problem for social networking services and tools, and some are starting to be more proactive about dealing with the issue. Bit.ly checks all links created using its service against three independent malware blacklists to help fight phishing and malware scams. Bit.ly is Twitter’s default link-shortening service.
Another URL-shortening service, Tr.im does not specify how or if it monitors for phishing attacks, as far as I could tell anyway, but it does have a spot on its Webpage where users can report suspicious or spammy tr.im links. TinyURL does not publicly state it protects against abuse of its service, but states at the bottom of its homepage that it forbids illicit uses of its services.
Facebook last month instituted an automated security system in partnership with security firm McAfee, after being targeted with its fair share of phishing scams. The new system is supposed to help detect user accounts that may have fallen prey to malicious activity; however, Facebook’s malware strategy may not be as effective as it could be, especially since it’s designed, at least in part, to sell McAfee security software to its users.
Google’s new social networking experiment Google Buzz is also reportedly proactive about phishing scams. Google recompresses images sent to Buzz and scans all links in Buzz against its blacklist of Websites, according to Webpronews. Google also reportedly has spam detection and abuse monitoring in place for Google Buzz comments.
The Problem with Lists
Of course, the downside of any Website blacklist is that it will never be large and agile enough to catch the newest scam sites. Since the use of blacklists is the most common way modern Web browsers and security services protect users against malware, the best defense is still to trust one’s own instincts.
Be wary of oddly worded or unsolicited messages you receive through social networking sites, and make sure you don’t log in to a site based on a link you received via e-mail. More importantly, make sure the site you’re trying to log in to is the real thing by verifying you have the right URL in your browser’s address bar — Facebook has a brief explanation about legitimate URLs here. Automated protection against phishing scams and malware is a great help, but in the end it’s no substitute for common sense.