Sophos Cloud Optix
Spammers have managed to hack the account of Twitter phenomenon “ShitMyDadSays”, posting a message to the popular page’s 1.8 million followers.
The tweet, which has since been removed, said:
wow I just got a free dell laptop LOL <LINK>
Hmm.. It strikes me that there’s only word for such a security breach: Sh*t.
Clicking on the link, which at the time of writing is still active, currently redirects users via bit.ly to a “make-money-fast” website:
We have informed bit.ly of the spammer’s link – and hopefully it will be shut down shortly.
In the past, well known figures such as Lindsay Lohan, Guns n’ Roses’ Axl Rose, John C Dvorak and Britney Spears have had their Twitter accounts compromised. In addition, organisations such as the New York Times and BP America, have had their Twitter accounts broken into by hackers.
We’ve also seen other “working from home” scams distributed via Twitter in the past. It’s unlikely that this will be the last.
You’ll notice in the above screenshot it refers to the town of Witney in the headline. That’s probably because the page is doing a GEO-IP lookup to try and tailor the content to be more of interest to me (I’m sitting not a million miles away from that British town).
Of course, it’s quite serious when such a popular Twitter account has its security breached. In theory, malicious hackers could have posted a link to malware or a phishing site – rather than just what appears to be a more traditional spam page.
Justin Halpern, the owner of the ShitMyDadSays Twitter account, has now deleted the offending tweet, and posted an apology to his followers.
http://twitter.com/#!/shitmydadsays/status/2204872732577792
It’s unclear whether his Twitter password was phished, whether it was cracked through a dictionary attack or spyware, or whether he made the mistake of using the same password on multiple websites.
Don’t forget, you should always choose a hard-to-guess non-dictionary word as your Twitter password, and never use the same password on multiple websites.
Watch this video if you don’t yet know how to choose a strong unique password for your different logins.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Or, for those of us who get confused with all that calculating of passwords, you could buy a roboform2go usb or an Ironkey. Simple to use but has complex passwords against those nasty keyloggers.
Doesn’t it make more sense that someone sidejacked his Twitter session with Firesheep?
@Rototechno. No. Why would you think that? Firesheep is only effective against insecure wireless connections. We have no evidence that the victim was using wireless, and even less evidence he was running unencrypted. Don't overestimate the Firesheep threat (which is really the insecure network, HTTP-cookie-sniffing threat).
Graham,
Please create a follow-up password video – I want to see the sequel!
-Mr. Brady
Darnit, 'ShitMy Dad Says' was one of the best hits I found there a couple years ago. He appeared on Leno as well.