Being a security professional is sometimes a difficult thing. Everybody expects you to be wise in terms of security, threats, knowing all different kinds of attacks and so on.
Being phished yourself as a security pro will make people worry even more and they ask seriously how this could happen.
As mentioned before I was phished some days ago and I would like to give you my lessons learnt so that you might be slightly more carefully than I was.
How Was it Done?
I received a direct message from somebody I trust. A colleague. Usually phishing mails – or tweets – are written in a way where you can see that something is wrong. Not in this case because what I learnt from his tweets is that he has a certain way of tweeting and accididentally his way of tweeting matched this direct message.
I was directed to a facebook app which seemed to show twitter videos – whatever that means. It looked like I was not logged into twitter so I tried to log in – and my user account was captured.
Three days later somebody wrote direct messages to my twitter followers asking them to log on to the same web page. I saw that something was going on and changed my password so not all of my followers received this direct message and I sent out two public tweets saying that my account was phished.
What I could have done better?
It is a bad idea to enter social login credentials into an app. When using oauth the machine receives an access token and this may be used y application. There is no need to enter credentials any more. So use the native applications itself to authenticate and do not enter anything anywhere else.
I looked at the facebook application later and found that it looks really similar to the twitter login application. I reviewed the code of this application and saw that it was linked to an external webserver with a real strange name. That should have worried me.
My conclusion is: If I do not know a facebook app I should verify where it comes from and look at the code which tells you where the server is. The easiest way is when opening the sourcecode window of this website and then you will see the server name in the text edit headline. If it looks strange, stay away!
Two very simple things to make yourself more secure.
What did I do else?
You also should verify the apps that have a trust relationship with twitter just in case that anybody installed something there. If you don’t know an app, revoke its access.
Furthermore change ALL your passwords that have the same password as the phished application.
Last but not least: Communicate open that you have been a victim to stop the infection of your followers.
Joerg Asma 