The expansion of microblogging site Twitter has meant that millions of people around the world use it, often at work. Like any online trend, malicious groups are attempting to exploit its popularity and security firm Symantec is warning that this could put businesses at risks as employees tweet from work and risk unintentional infection of IT systems from spammers and cybercriminals.
The way to best solve the problem is not to block Twitter but instead to instruct employees on how it can be used safely, according to Symantec.
The most common way to exploit Twitter users and get them to visit malicious sites is to piggyback on a trending topic, cut out the relevant shortened link and replace it with a similarly shortened link that,instead, sends those who click it to a site which could damage systems, breach security and steal data.
Symantec’s Candid Wueest, said that many Twitter users were unable to differentiate between safe links and those which could be potentially harmful. Wueest pointed out that even when ostensibly reputable websites were the subject of a link, it was possible for the criminals to have hijacked the address and therefore spread viruses and malware in relative secret.
Wueest said that one option to combat the threat from Twitter is to keep up to date security software on all work computers, although this is not the only remedy for the problem.
The operators of Twitter itself are also working to limit the impact of malicious links if not eradicate them completely, by allowing users the chance to expand shortened links before they visit them in order to check up on their veracity. The doubling up of URL shorteners might potentially bypass this technique, but Twitter is hoping to overcome any of these basic circumventions that criminals will attempt.
URL shortening has become prevalent in spam of all kinds, with around 18 per cent of malicious emails sent this year containing a shortened link, which is twice as many as in the previous year according to Symantec.
The last week has been rife with new stories of high profile data loss. The Barnet Council incident has induced fervour in the UK and in the US it has been revealed that 3.3 million students have been affected after a firm providing loans to students lost detailed personal information.
Federal student loans are handled by the Education Credit Management Corporation (ECMC) in the US and millions of its users have been exposed after data was stolen from its Minnesota headquarters last week.
As well as the names and addresses of the affected students, the thieves have been able to get hold of Social Security numbers and birth dates. The ECMC has confirmed that although the loss is significant, no bank details were leaked.
The investigation into the loss at the ECMC is ongoing and, as such, the media has been unable to obtain precise details about the incident. It is understood that at this time there is no indication that the data has been used inappropriately by any third parties.
In other data loss news, it emerged this week that the parent company that owns the Durex brand was unaware that one of its subsidiary’s websites was entirely unsecured, allowing anyone to access the personal information of its users without logging in.
The kohinoorpassion.com customer site contains the orders and personal information of thousands of customers and its owner TTK-LIG was only notified as to the serious security loophole after an inquisitive customer found out almost by accident.
The customer revealed that simply by entering a different order number into the site’s URL, it was possible to bypass login altogether, instantly giving anyone access to the affected customer’s order history, home address and other private information.
Security expert Amichai Shulman commented that he was amazed by the general complacency with which some businesses approach data protection. Mr Shulman pointed out that the increasing sophistication of hackers was not being adequately countered by firms and that basic security measures needed to be tightened across the board.
The personal information of millions of online consumers could be put at risk if the latest phishing enterprise, which targets those paying by Visa, is mistaken as legitimate by innocent customers.
Andrew Brant, a malware prevention blogger, explained in a recent post that consumers should be wary of any emails claiming to have originated from Visa and asking them to follow a link and update their payment card details online. Continue reading