Shared publicly  - 
 
Beware of links sent via Twitter DM's: Twitter has quite a hacking problem

If you get links like the three in this screen shot sent to you over on Twitter DO NOT CLICK ON THEM. They will hack your account and send the same thing to everyone who follows you. 

I get a few of these every day and I wish Twitter could make these things stop. In the meantime my policy is to never click on a link sent to me in Twitter's direct messaging feature.

How about you? Have you been hacked lately? I've never seen anything like this on Google+. Speaking of which, Twitter hasn't fixed this problem even though it's existed for many months. Makes me wonder why.
70
23
Jay Medina's profile photoUdhaya Udhayakumar's profile photoChris Connelly's profile photoPrabhakaran Krishnan's profile photo
45 comments
 
Fortunately, I am savvy to this by now but it's getting a little out of control. I DM the people back and tell them their account has been hacked and to change the p/w
 
Rogue apps and DM malware are not policed by social media sites. Another attack vector is emails from trusted FB friends, supposedly, but the sender address is not your friend's email address.
 
Whenever I get these messages from people I know, I just reply to them strongly suggesting them to change their password.

While Twitter may put a band-aid on top of this, such phishing attacks are going to continue until we're able to educate the masses to recognize such attempts and avoid them. I'm able to distinguish between legitimate content and spam/phishing very easily, but other than tech geeks like us, not many people can do that.

Until these links continue getting clicked, this crap will not stop.
 
It's amazing how DMs have been broken for so long in so many different ways.
 
+Robert Scoble While GMail's spam filter is crazy effective, occasionally one or two e-mails that very closely resemble legitimate e-mails (with spoofed From: headers and all) get the pass and enter my inbox, asking me to reply to them with my plaintext password. I can distinguish, but not many people can.

Again, yes, Twitter should (and must) stop this. It's just that if they patch this loophole, hackers will find another way around. It's a cat-and-mouse game.
 
it comes in spurts like malware... i also DM the people back and let them know to change their twitter passwords ASAP... lately it has been the "what are you doing in this vid...." $#@%& click jackers
 
Is this a "hacking" problem, or a "people mindlessly clicking authorize or typing their Twitter credentials into third-party sites/apps" problem? One thing big services like Twitter and Facebook need to do is be perfectly clear about where you should enter your credentials: only ever on the official website or official app. Any third party sites/apps can get the permissions they need via OAuth. Right now Facebook provides a development kit for integrating "login with Facebook"-type features into your mobile app, which will pop up a screen in your app for the user to enter their Facebook credentials if single-sign-on fails. It really needs to launch the browser and perform the authorisation there, since that in-app Facebook login screen could easily be spoofed by a malicious app. The official Facebook development kit is essentially teaching users that typing their credentials into third-party apps is a normal, safe thing to do, negating the entire purpose of OAuth.
 
Educate your family, friends, fans, and followers on Social Engineering, Rogue Apps, Phishing, Smishing, Identity Theft, Secure Passwords, etc.
 
+Robert Scoble The twitter DM spam really 'yanks my gourd' for want of a saying.Personally I don't see why the braniacs at Twitter can't figure out how to stop it - even if they could let me set up a junk tweet filter like an e-mail rule that would get me part of the way down the road. I even get DM spam from people i'm not following - why can't they fix that while they're at it. TrueTwit validation is the only DM link I trust.

But until they fix it, the DM has no value for me -@mentions are more valuable.
 
I rarely look at my DM's and now I'll look even less. 
 
It's not just fake accounts on Twitter. It's real people accounts that are hijacked for spam botnets.
 
You mean there's actually real people on Twitter? lol. They (twitter) is at fault here. This has been going on for 3+ months now, and its pathetic. One of the reasons I rarely use twitter.
 
twitter has no security. a hacker guessed my password, deleted all my tweets, followers and followees and twitter says they can't get them back. I was able to restore my followers as the hacker blocked a bunch and win8 release preview i run for one game (i'm a mac) 'saved' the followers as contacts. I even had the additional 'secure' feature of adding a phone number but apparently once you're in the account you can just change it.
 
I've been a Tweeter for 3 years. I don't use direct messages, ever. Tweeting  has been an effective tool, but their direct messages have always been dangerous and useless.
 
I deactivated my Twitter account today for this reason.  Even though it's free, it's not worth the hassle of dealing with this hacking issue, bot accounts, and 140 character limitations.  
 
exactly how does the thing work though?  You click the link and it gains access to your twitter account?  Apparently it really does--but I'm unclear how.  Anyone know?  
 
+David Henderson Not like it's worth my time to hack twitter or facebook accounts. You'd think more people would phish paypal accounts, that one has to pay off quicker. But I guess when the stakes go higher, so does the penally. I mean a kid could hack twitter accounts and Facebook, but that people that do it in massive numbers and run a link referral service with all the websites to monazite are a special breed. 
 
+Phillip Kerman Just off the top of my head, I'd guess it is a drive by browser exploit that hijacks your browser to gain access to your auto-fill saved passwords.
 
It's called cross site scripting attacks. Anyone using something like Internet Explorer or Microsoft is vulnerable. Oh and SSL was hacked quite sometime ago, and HTTPS additionally.
 
i have disabled facebook account almost 2 years back -- i received email -- saying that my account accessed in memphis --:) lol 
 
+Robert Scoble This is yet another good reason, NOT to just randomly follow everyone who follows you.

Thanks for the heads-up!
 
Yepp, getting some now and then. Never clicked on one though. 
 
it is not that hard to fix. For the reply spam if they just set some participating rules like reddit or stackexchange to build some trust in their account before being able to send links it would already be a great step. For the DMs even though they come from people you signaled some trust to (after all you follow them) if they are sending the same or similar link over and over they should be put on hold: please twitter add a suspected malware inbox. Facebook is doing a great job in this regard right now. LinkedIn also needs to up its game
 
Happened to me on Twitter. Although Im still unsure if it was really hacked or just one of the services I granted access to my Twitter abusing it. The fact that my PW didn't got changed let's me think that it might have been second.
Services like Twitter, who are also a login for other services, should support 2-step with like Google, Facebook, Lastpass and Dropbox do.
Twitter has indeed a huge problem..the spam of links and abused accounts seam to increase a lot.
 
Oh i am so sorry that happened to you when did it happen
 
To me it happened a months ago or so, but I just noticed it last weeked because someone wrote me that my account is posting strange links since a while. I barely use twitter anymore so I didn't really noticed it. 
 
So when you click a link is it better the change your password or does the DM authorize an app that needs to be blocked?
 
+Gabe Rios At least in my case it didn't had to do with any kind of links...they just started spamming fraud links from my account after. But yes, people should be more careful about which apps they give access to their twitter account in general I think and revoke the access for apps and sites you don't longer use on a regular basis.
 
Agree that this has been a problem - in my case recent and they originate/spoof only one of my Twitter connexions, most of whom are very likely quite tech savvy. Perhaps it may be relevant that the account from which such spam to me originates, though tech savvy (an old compiler hacker) is now blind.
 
+David Elmore My biggest issue with Twitter was its spam and bot problem. It's the downside of having such an open api if they don't have anything useful against spam. Often you just need to have some kinds of words in your tweets to get bot replies with links. Especially if you tweet something about tech stuff like apple, android or similar things. 
 
definitely agree with you +Robert Scoble - not sure why more people aren't up in arms about this. Has anyone from Twitter reached out to you yet?
 
I got on Twitter when +Robert Scoble was cheerleading it, around 2004 I think it was, maybe earlier. For a few years, it was valuable, good conversations in 140 characters. The past few years, I post tweets sporadically, and find it has too much noise and the short message length makes real conversations very difficult.

Plus, they changed the user interface and messed it up. The original Twitter was sleek and easy to use. The New Twitter is a design disaster, with, for example, DMs and @ replies in different tabs, which makes no sense at all.
 
Get several daily & delete them. Hard to tell since the company looks legit.
 
so what do we do about this DM's randomly selecting your followers, just delete them? i changed my password, would that help?
Add a comment...