As usual, I feel we’re not being smart enough about the way that scammers improve their skills. We demand everything to be easier, and they just reap the winnings.
What they’re exploiting is the fact that we use a lot of different services (twitter, email, Facebook), and services within services (those which use those primary services as authorisation—in other words, borrowing the login name and password) to make things easier for us or to offer ancillary services (backing twitter, measuring the number of Facebook friends you have in Angola, etc etc).
All of this leaves us vulnerable, because we tend to get overwhelmed by the number and complexity of the services we subscribe to. Scammers exploit this.
I found this message in my inbox the other day:
The text reads:
Hello,
You have 2 unread message(s)
For more details, please follow the link below:
http://twitter.com/account/message/20111007/?userid=789837192The Twitter Team
Needless to say, the link itself goes elsewhere: http://lewit.fr/primitives.html which is, as far as I know, a phishing website (so don’t click on it.)
This scam isn’t new; this website talks about it last year—though they seem to have improved the spelling (it used to be ‘unreaded’).
This is clever, because while Twitter says we won’t send you messages like that, of course they do, all the time:
So it’s understandable why people might fall for this trick. (I don’t actually know what the trick is, but I assume that if you visit an infected website they’ll try to get as much malware on your computer as you can, so this is not (just) about grabbing your Twitter details.
What worries me is this: The usual defence against this, if Google or whoever is hosting your email hasn’t caught it, is to inspect the link under the link. In other words, to look at the actual link that the proffered link conceals. In the above case, the twitter.com/account etc link is really going to the lewit.fr page. But you’ll only know that if you mouse over the link and look at the status bar in the bottom of your browser, or paste the link somewhere else. If the link looks dodgy you know not to go there.
Or do you?
Take this email I received at more or less the same time:
It’s a request from backupify (an excellent backup service) for my twitter account.
The problem I have with it is this: The Backupify link in Step1 is actually this link:
http://mkto-l0091.com/track?type=click&enid=[etc] (I’ve removed the rest.)
How can I tell this is a legit email? Well it’s addressed to me, but spearphishing is pretty good these days. And chances are I’ve succumbed to backupify’s prodding to tweet to the world that I’m using their service, so an accomplished phisher need only harvest those twitter accounts which have mentioned backupify. Child’s play, in other words, to get into my account.
But the domain looks extremely dodgy. In fact a who is search reveals it belongs to a company called Marketo Inc which is basically an email marketing firm. So that suggests it is legi—or that their site has been infected. I have no way of knowing.
Now everyone uses these third party companies to handle bulk emails; that’s understood. But when you’re asking to ‘reauthorize’ an account this effectively means you’re handing over details of your account to a third party—a step that should be treated in the same way as reentering passwords or other sensitve account details. You shouldn’t be using a third party emailer for that.
I’m going to reach out to backupify and see what they say about this. It’s not the first time I’ve seen this, and I suspect it’s more widespread than one would like to think. For users, I think the lesson is clear: Don’t click on a link if you’re not sure. Go to the actual page of the service in question and check it out that way.
I got a similar e-mail from Backupify but regarding FaceBook. I respect(ed) Backupify so I clicked on the “logon” link which like yours was a redirect to mkto-l0091.com. I clicked on my browser’s Stop button as soon as I realized it was a redirect. I e-mailed Backupify’s support and they confirmed that they had sent the e-mail. They referred to a link in their blog (http://blog.backupify.com/2012/01/22/backing-up-facebook-on-backupify-you-need-to-re-authorize/) which (surprise, surprise) didn’t have the redirect.
This gives me doubt about the integrity of Backupify.
Ben, I got something similar from Backupify recently too and had the same thoughts. I think it’s more sloppiness on their part than anything else, but it certainly leaves folk vulnerable.