The SocialToo Blog

February 24, 2010

New Variant of “This You???” Worm Surfaces on Twitter

Filed under: Security,Status — Tags: , , , , , , — Jesse Stay @ 5:31 am

SocialToo has detected a surge in the number of phishing DMs in just the last few hours or so, all with the text, “This you???”, followed by many different variants of URL shorteners that all redirect to a domain ending in kevanshome.org (DO NOT CLICK! YOU WILL BE TAKEN TO A BEBO-LOOKING PAGE ASKING FOR YOUR BEBO CREDENTIALS – DO NOT LOG IN).

This new variant comes after a slew of phishing DMs over the weekend, all with similar text to this one that utilized a URL redirect service, redirecting users to a bzpharma.net URL asking users to log in with their Twitter credentials.  While we show little sign that the compromised accounts were fixed by Twitter, we did notice that particular variant seems to have stopped, and we have begun to detect some of those compromised accounts sending out Viagara ads in their stead utilizing the same domain name redirect scheme.

All SocialToo users that have either created at least one DM filter under their Preferences, or signed up for the DM e-mails should be protected from this new variant that just started early this morning.  We have blocked over 1,400 DMs so far from this specific variant.  We were able to detect this worm from the first DMs sent out (and have measures in place to automatically detect future variants).  Users that get DMs in other locations should still be suspicious.  While SocialToo deletes the malicious DMs from your account, not all Twitter clients check to see when DMs are deleted.  For this reason we recommend you turn on SocialToo DM e-mails and turn off Twitter’s DM notifications.  SocialToo users utilizing this service will never get a malicious DM from Twitter that we are able to detect.

SocialToo is not a perfect service – there may still be malicious DMs that get through our filters so we encourage all users to be cautious when receiving DMs with links in them.  Look over the domain in the link, verify that you know with absolute certainty that the URL is on twitter.com before providing your credentials.  A good rule of thumb is that if a link from a DM takes you to a Twitter login page, you should probably not provide your credentials.  Instead, manually type in the Twitter.com URL.

We are constantly finding new ways to protect your DMs from Twitter when you utilize the services we provide at SocialToo.  While our service does provide automation tools that increase the number of DMs for some users, these types of attacks often come from your closest friends and family.  No one can be trusted in this case, and we ask that you exercise caution amongst all DMs you receive.  This protection is intended for all users of SocialToo, whether you choose to automate or not – you just need to follow the instructions above to enable the feature.

As always, follow the @socialtoo account on Twitter for updates on the status of this worm and others.  We will also try to keep you updated on this blog as new worms surface.

March 5, 2009

Stop the Robots With @endautodms

Filed under: Announcements,Security — Tags: , , , , — Jesse Stay @ 4:32 pm

#EndAutoDMI am brainstorming daily new ways to enable our users to get rid of the spammy behavior on Twitter and focus on what Twitter is about – communication. Because of this, we killed the service. As we mentioned earlier, we have taken a 180 and have decided auto-DMs have gotten out of control. If you’re a SocialToo user and this is the first you’re hearing of this I encourage you to check out that article and see why we’re doing it. Now our entire focus is on making Twitter less spammy, more secure, and a nicer place to communicate and network with others.

Starting today, we’re launching a new, completely public Twitter user, sponsored by SocialToo, which you can notify of auto-DMs or spammy behavior on Twitter. If you notice someone sending auto-dms to you, or are just plain spammy or robotic, send their username to @endautodms (note the “s”). The format of the Tweet should be like this (most importantly, it should include “@” followed by the screen name of the spammer):

@endautodms @spammyspammy is showing robot-like behavior

You can just inlcude the screen name, or the reason they’re being spammy. Our combination of human and automated review of these (a human will always play a part) will verify they are spammy, and @endautodms will follow them. Everyone @endautodms follows is deemed a spammer by our review process.

Anyone can use this list for their own apps if you like, but on SocialToo over the coming days we’ll be working to incorporate new ways to allow users to choose not to auto-follow the users that @endautodms follows. In addition, we’ll probably also provide a whitelist, finally enabling users to actually “opt-in” to receiving dms from specific users.

If you find your name on “the list”, please DM @endautodms with your intentions to stop or explanation (we won’t be convinced that auto-dms are good, so don’t even try), and we’ll remove you from “the list”. However, 3 strikes and you’re out. If we continue to get recommendations after you say you’ve stopped the 3rd strike guarantees permanent placement on “the list”.

Here’s to a much cleaner SocialSphere. Let’s do what we can to #endautodm!

January 15, 2009

We Don’t Want Your Twitter Password!

Filed under: Announcements,Security — Tags: , , — Jesse Stay @ 5:06 am

As we’ve made evident before, we’re strong opponents against the storage of Twitter’s plain-text passwords, especially when they aren’t needed. For this reason, as of today, we’re removing the need to store your Twitter password for everything but auto following, auto unfollowing, and auto replies.

You still need to create a SocialToo account to use the services, but this means you can sign up, as well as edit your existing account, and exclude your Twitter password if all you want to do is:

  • Get the nightly stats e-mail
  • Create Surveys
  • Vote on Surveys
  • Redirect to your Facebook profile

In addition, you do not need to have auto follow or auto unfollow enabled to get the e-mails. So if you or your friends were waiting to join because you were hesitant on giving your Twitter credentials, now you can be at ease. We’ll be slowly improving the UI over the coming days to accommodate for this new improvement.

January 9, 2009

SocialToo.com Values Your Security!

Filed under: Security — Tags: , , , , , , — Jesse Stay @ 4:26 pm

One of the most frequent questions we’ve had recently is regarding the security of SocialToo, and if you store your password with us, will it remain secure?  As you may already know, various phishing attacks have made their way around Twitter recently, and have put the issue of password security, in particularly around third-party apps, at the top of everyone’s minds.  As always, we continue to recommend you be careful who you share your password with, always check the URL of the site you are entering your password on, and change your passwords frequently.  Another good rule of thumb is to not use the same password on less-secure websites like Twitter as you would on a more secure website such as your bank.

While Twitter has not pointed the finger at any third party apps for these phishing attacks and hacks, they have made known that the issue is specifically related to a hosting provider that we at SocialToo.com are not using (We use Amazon EC2 services for all our servers).  Regardless, we do take your security seriously.  Here are some of the things we are doing to ensure you are in the most secure environment possible:

Frequent Database Reviews

At SocialToo, we review your data frequently, while maintaining your anonymity.  We are doing our best to monitor various worm and hacker threats, and search frequently to ensure that your accounts have not been compromised.  We are also keeping an open dialogue with Twitter.  Were Twitter ever to catch something we had missed and notify us, we would correct the issue, immediately.  As of this moment, not a single account on SocialToo has been compromised, and it would be quite hard to do so.  We ask for a separate username and password beyond your Twitter username and password (or other social network) just to protect you from that.  This way, were your Twitter account to be compromised, your SocialToo.com account could not also be compromised.

Vocal Advocates of Secure Authorization Technologies

For those that know me personally, you may have read some of my blog posts recently on the subject.  I still argue that Twitter’s acceptance of OAuth would have stopped the phishing attacks seen recently.  While I agree it won’t stop all phishing attacks, it would prevent apps such as SocialToo.com from being the cause of such attacks.  We are one of the most vocal advocates on the Twitter developer mailing lists and elsewhere, and will continue to be a supporter of this, and other secure technologies.  Twitter’s requiring developers to collect plain-text usernames and passwords is unacceptable in our minds, and the minute Twitter changes this, we will convert immediately so your data remains secure.

Continued Monitoring of Customer Complaints

Another thing that sets us apart from other services is we monitor your complaints and suggestions, religiously.  It doesn’t matter if you address us or not, we are tracking mentions of our name, so if anyone mentions we could be the cause of such a phishing attack, we monitor each and every one of those complaints.  To this date, every one of those complaints has been unfounded.  We believe in personal service here, and my hope is that we can continue that personalized service as long as we are capable. If someone suggests we’re the cause of a phishing attack, or hacking attack and you question that, please do not hesitate to contact me personally at jesse@socialtoo.com.

Vocal Advocates of Source Detection Technologies

Another cause we are fighting for at SocialToo is to have Twitter enable clients to provide their source with DMs they send on behalf of users.  Ideally, when OAuth is implemented, this should be a required feature, but for now we’ll accept optional.  While we realize this will not stop Phishing, it will enable us to ensure you know which DMs are coming from our service (we will send it with 100% of the DMs we send on behalf of our users), and if anyone spoofs our name, or compromises our users accounts, we can know immediately.  It will also give you, the user a little more information regarding where DMs you receive come from.  If you think this is a good idea, would you please @reply @ev, @biz, and/or @al3x at Twitter and let them know you would like to see this?  Tag it #dmsource so we can track it. We will be creating a bug for this shortly and you can star that when it is ready to show your support as well.

As you can see, we’re doing all we can to ensure your data is secure.  I’m confident it will remain so, and you can feel confident in that.  It’s a shame that we as app developers have to defend this stance, but I am confident Twitter and other social websites will do the right thing by implementing secure auth standards in the near future.  When they do, we’ll be right there along with them.

(BTW, I’m creating a new category for this for Security – I’m sure this won’t be our last post about security!)

Image Credit: Miles Cox

Powered by WordPress