Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

What would you do if you were a cybercriminal?

15 Jul 2009 0 Law & order, Malware, Privacy, Social networks, Twitter, Video

Post navigation

Previous: Are you part of the USA/South Korean DDoS attack?
Next: Talking social networking threats at Oxford
by Paul Ducklin


If you had someone else’s social networking passwords, what do you think you would do with them?

More importantly, if someone else had your social networking passwords, what do you think they might be able to do?

Here are a few of things they could do:

1. Make inspired (and, quite possibly, correct) guesses at the passwords you use for other, more important, on-line accounts.

2. Send messages to your chums claiming you’re in trouble and need their help urgently, for example in the form of a cash advance.

3. Sign you up to any number of unwanted or even unsavoury on-line services for which they receive a referral fee.

4. Retrieve information about you and your friends which you have deliberately restricted because you don’t want it publicly known.

5. Victimise other people by sending intimidating or threatening messages, implicating you whilst leaving them untraceable.

6. Persuade your friends to download software which appears to be recommended by someone they trust, but is actually malware.

7. Talk your friends and followers into giving up their usernames and passwords, too, just as you did. GOTO 1.

Walk yourself around the loop above a few times, so you understand the risks – both to yourself and to your friends – of letting other people know your social networking passwords.

And, don’t forget, there are other things they can do, outside the loop, such as:

8. Sell on your credentials into the cybercriminal network.

Talking people out of their passwords is easier than you think. Over a period of just 24 hours or so, a site calling itself AddFollowers managed to do just that – apparently getting thousands of Twitter users to sign up to their service. It worked something like this:

  • Enter your Twitter username and password on their site.
  • Agree to accept a list of 20 Followers which they send to you.
  • Allow them to send out Follow requests to other Twitterers on your behalf, using your username and password.
  • Sit back and happily watch your Follower list grow!

By 07:00 Sydney time on Wednesday, 15 July 2009 – assuming their site statistics could be believed – around 8000 Twitterers had already signed up. Each of the 8000 signed-up users would have accepted at least 20 new Followers, all, presumably, from the pool of people who had previously joined, simply as part of the sign-up process.

So the scheme would have worked as a self-fulfilling prophesy, at least for a while, even if the system hadn’t spammed out additional Follower requests from every signed-up user – who would, of course, already have additional Followers to make them look cooler to follow. (In this respect, the AddFollowers system resembles a Ponzi or a pyramid scheme.)

But AddFollowers did generate Twitter spam, and by all accounts, they generated a lot of it. Graham Cluley made a two-minute video showing the extent of this spam, in which you can see new spam turning up even as he records the video:

By noon in Sydney on 15 July, the site appeared to be off the air. The site’s name was only registered on 13 July 2009 and within just two days it seemed to have vanished. If you watched Graham’s video, you will surely agree this is a good thing.

Of course, you would never sign up for a scheme like this, would you?

Even if you knew you could trust AddFollowers, your contract with Twitter requires you to keep your password secret, and, naturally, you would comply. After all, that’s why you have a username and a password, not just a username!

So, be careful out there.

Numerous social networking services exist which offer to improve your access to, and your profile within, the social networking scene. But many of them rely on you “lending” them your password so they can operate on your behalf. Some of these services go much further than AddFollowers, asking for passwords to several of your online accounts and offering to act as “site aggregators” for you.

Don’t do it. Don’t hand over your passwords to a third party. Don’t do it at home. Don’t do it at work. Don’t do it for any account.

And if you have handed over any of your passwords, change those passwords, right now!

Oh. There is yet another thing “they” can do with your password, which we didn’t mention above:

9. Change your password so that you are locked out of your account whilst the Bad Guys continue to abuse it.

If (9) has happened, you will almost certainly need to contact the company which operates that account and ask them to help to sort out the mess.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Are you part of the USA/South Korean DDoS attack?
Next: Talking social networking threats at Oxford

What do you think? Cancel reply

Recommended reads

Jun30
by Paul Ducklin
0

S3 Ep89: Sextortion, blockchain blunder, and an OpenSSL bugfix [Podcast + Transcript]

Jun20
by Paul Ducklin
0

Interpol busts 2000 suspects in phone scamming takedown

Jun03
by Paul Ducklin
6

Atlassian announces 0-day hole in Confluence Server – update now!

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2022 Sophos Ltd. All rights reserved. Powered by WordPress VIP