Sophos Cloud Optix
If you had someone else’s social networking passwords, what do you think you would do with them?
More importantly, if someone else had your social networking passwords, what do you think they might be able to do?
Here are a few of things they could do:
1. Make inspired (and, quite possibly, correct) guesses at the passwords you use for other, more important, on-line accounts.
2. Send messages to your chums claiming you’re in trouble and need their help urgently, for example in the form of a cash advance.
3. Sign you up to any number of unwanted or even unsavoury on-line services for which they receive a referral fee.
4. Retrieve information about you and your friends which you have deliberately restricted because you don’t want it publicly known.
5. Victimise other people by sending intimidating or threatening messages, implicating you whilst leaving them untraceable.
6. Persuade your friends to download software which appears to be recommended by someone they trust, but is actually malware.
7. Talk your friends and followers into giving up their usernames and passwords, too, just as you did. GOTO 1.
Walk yourself around the loop above a few times, so you understand the risks – both to yourself and to your friends – of letting other people know your social networking passwords.
And, don’t forget, there are other things they can do, outside the loop, such as:
8. Sell on your credentials into the cybercriminal network.
Talking people out of their passwords is easier than you think. Over a period of just 24 hours or so, a site calling itself AddFollowers managed to do just that – apparently getting thousands of Twitter users to sign up to their service. It worked something like this:
- Enter your Twitter username and password on their site.
- Agree to accept a list of 20 Followers which they send to you.
- Allow them to send out Follow requests to other Twitterers on your behalf, using your username and password.
- Sit back and happily watch your Follower list grow!
By 07:00 Sydney time on Wednesday, 15 July 2009 – assuming their site statistics could be believed – around 8000 Twitterers had already signed up. Each of the 8000 signed-up users would have accepted at least 20 new Followers, all, presumably, from the pool of people who had previously joined, simply as part of the sign-up process.
So the scheme would have worked as a self-fulfilling prophesy, at least for a while, even if the system hadn’t spammed out additional Follower requests from every signed-up user – who would, of course, already have additional Followers to make them look cooler to follow. (In this respect, the AddFollowers system resembles a Ponzi or a pyramid scheme.)
But AddFollowers did generate Twitter spam, and by all accounts, they generated a lot of it. Graham Cluley made a two-minute video showing the extent of this spam, in which you can see new spam turning up even as he records the video:
By noon in Sydney on 15 July, the site appeared to be off the air. The site’s name was only registered on 13 July 2009 and within just two days it seemed to have vanished. If you watched Graham’s video, you will surely agree this is a good thing.
Of course, you would never sign up for a scheme like this, would you?
Even if you knew you could trust AddFollowers, your contract with Twitter requires you to keep your password secret, and, naturally, you would comply. After all, that’s why you have a username and a password, not just a username!
So, be careful out there.
Numerous social networking services exist which offer to improve your access to, and your profile within, the social networking scene. But many of them rely on you “lending” them your password so they can operate on your behalf. Some of these services go much further than AddFollowers, asking for passwords to several of your online accounts and offering to act as “site aggregators” for you.
Don’t do it. Don’t hand over your passwords to a third party. Don’t do it at home. Don’t do it at work. Don’t do it for any account.
And if you have handed over any of your passwords, change those passwords, right now!
Oh. There is yet another thing “they” can do with your password, which we didn’t mention above:
9. Change your password so that you are locked out of your account whilst the Bad Guys continue to abuse it.
If (9) has happened, you will almost certainly need to contact the company which operates that account and ask them to help to sort out the mess.