Did Twitter set users up for future phishing attacks?

On the morning of the Twitter attack, I received this email:

twitteremail

On one hand, I appreciate that Twitter was up front with their users, but it also bothers me when companies make use of bad practices to solve a security problem.

What Twitter did wrong

The email encourages me to click on a link to fix the problem. Bad bad bad! They should simply have told me to visit twitter.com (unlinked) and instruct me to login so that their system can direct me through the process of creating a new password. Yes, in most cases security poses some inconvenience. Users would prefer a direct link just like we would all like to eat cookies for breakfast.

Because of the way Twitter did this, it will be much easier for a future phishing attack to succeed. This is because:

  • The bad guys are now armed with the exact template they can use in their phishing attack
  • Users will more easily accept this as the behavior of twitter if there is a security breach

Protect yourself from a phishing attack

Even with the best of intentions, companies will continue to use these bad solutions, which  means you must use your own best practices to protect yourself. Here are some simple recommendations to avoid phishing attacks:

  • Be suspicious of any link your email, and try to avoid clicking on links in emails
  • If you think the link is valid, its best to cut & paste the link and examine it first before putting it in your browser.
    • Verify the domain is correct. If the site was going to twiiter.com (notice the two i’s) and be very very suspicious!
  • Try just visiting the site directly to see if you can resolve the problem. This is what I did for the twitter incident and it worked perfectly.

Additionally you should be using different complex passwords for each site (see our tips for creating secure passwords) and always approach your use of the internet with caution and the assumption that you are a target of the bad guys.

About Dan Kuykendall

Dan Kuykendall is the founder and co-CEO at the premier application security solutions provider NT OBJECTives, Inc. Throughout his career, Dan has helped develop advanced dynamic application security testing software, a fundamental aspect to NT OBJECTives’ reputation as a leader in comprehensive web application scanning. Dan has also worked for McAfee’s Foundstone and Fortis, where he founded the U.S. Information Security team. Connect with Dan on Google+

Leave a Reply

Your email address will not be published. Required fields are marked *