Creeva’s World 2.0

The recent twit­ter phish­ing scam had non twit­ter users scratch­ing their heads on why this ser­vice would be tar­geted for a phish­ing scam at all.. Most peo­ple view lit­tle or no mon­e­tary value to twit­ter accounts. For most peo­ple this may actu­ally be true. For peo­ple like Scoble or com­pa­nies that pro­mote them­selves over twit­ter, well the brand name dam­age caused by a hijacked twit­ter account could be quite costly.

One of my friends on twit­ter had a reply about this issue (I’m assum­ing the other per­son didn’t real­ize the long tail poten­tial impact (yes I used the term long tail — get over it)). What I saw was this:

@jere­myas­mus could be any num­ber of rea­sons, spread mal­ware, spam, get pass­words, us humans tend to use the same pass­word over and over.

This is the crux of the issue isn’t it? The prob­lem isn’t aver­age user with nine friends directly, it’s the large power users and the pass­words for other ser­vices. Let’s look at each of these.

Let’s say you are Scoble and your account get’s hijacked. Scoble has a level of trust built from him­self, he is known to get the inside scoop on infor­ma­tion, peo­ple click his links. Scoble has over 47,000 fol­low­ers. If his account was hijacked and ten per­cent clicked a link that was really a mal­ware installer — that would be 4,700 peo­ple infected within a mat­ter of min­utes. I think how­ever the num­ber of Scoble fol­low­ers would be much larger prob­a­ble in the 50–60% range. For a mal­ware dis­tri­b­u­tion this is a great return for the time frame, with the added ben­e­fit that you may get some other high pro­file names in the attack.

The cost to deploy such an attack is extremely low — under ten dol­lars, while the net return would be a few thou­sand, poten­tially more. Since there is lit­tle risk to get­ting caught if you know what you are doing, you could make some decent money by exploit­ing this chain of trust that exists and is pro­tected by a mere password.

Let’s look at the side of this coin, the nor­mal user.  Adam Bald­win nailed it right on the head when he stated “us humans tend to use the same pass­word over and over”. I know I do, though dif­fer­ent level of things have dif­fer­ent pass­words — my bank­ing account does not use the same username/password com­bi­na­tion as my twit­ter account — neener/neener. It is how­ever shared with some other web 2.0 ser­vices. Some other peo­ple may not be so dili­gent. This once again is a chain of trust issue. You are trust­ing the com­pa­nies that you give your pass­words to are truly them, so once your pass­word is in the wild it’s exposed and all of your accounts are open to attack.

Let’s look at the infor­ma­tion an attacker can get from you if they have your twit­ter password:

User Name — while by itself it’s expos­ing a lit­tle bit about your account and your pass­word — the prob­lem lies in hav­ing both bits of this infor­ma­tion. That part should be bla­tantly obvi­ous. The issue lies in the fact that most of us use the same user­name or “han­dle” across many sites on the web. Doing a Google search for “Creeva” yields over 46,000 hits. A lot of these hits are dif­fer­ent ser­vices that I play with and over 90% of the hits link back directly to me in some fash­ion. Since most sites use you user­name as your login name, if I used the same pass­word every sin­gle one of these ser­vices would be exposed if I fell for the twit­ter phis­ing scam.

E-Mail Address — Yes though it maybe only a small amount these days, your e-mail address is still worth a few per­cent­ages of a penny to the spam­mer. This would get you on more mail­ing lists, and ones that would be quite hard to get off of. It is also nor­mally used as a login name for ser­vice that do not use your han­dle. More accounts have now been exposed because of this. If your e-mail account pass­words is the same as your twit­ter account (dumb mis­take) every­thing about your online life, accounts, and trans­ac­tions can now be exposed and uti­lized against you. Would you notice a gmail fil­ter that some­one setup to clone every incom­ing e-mail?

The other issue is even you do not have accounts that show up in a Google search they could use a ser­vice search engine such as Spokeo to find accounts even you may have for­got­ten about.

Mobile Phone Num­ber — This prob­a­bly would be one of the most annoy­ing things, that your phone num­ber has been exposed to the inter­net under­ground. Phone spam, call back charges; there are a few things they can do with this num­ber. I do think this is small annoy­ance com­pared to loos­ing your email account.

Being a good secu­rity pro­fes­sional my rec­om­men­da­tion is to use strong pass­words that are unique to each ser­vice and are rotated reg­u­larly. I am also a real­ist and know that you won’t. This may be the time to start doing seg­men­ta­tion where dif­fer­ent accounts do get dif­fer­ent lev­els of pass­words. This is what I do so if my twit­ter account was com­pro­mised only the ser­vices that I con­sider on par with Twit­ter security-wise was at risk. Lower level accounts would be safe and higher level accounts would be safe. I also think with the range of accounts, I could move faster then the phish­ers going through and know­ing what to change faster then they could try all 46,000 sites. It’s a thought — now what are yours?