A few days ago, I got a direct message on Twitter from a friend with whom I hadn’t spoken in a while. “lol ur famous now,” she wrote, and supplied a link.
Without a thought beyond, “She must have a very loose definition of ‘famous,’” I clicked—and quickly realized something wasn’t right. The link took me to Facebook, where a message popped up telling me I needed to be logged in to access an application. I closed the window without clicking and emailed my friend to let her know that her Twitter account had been hacked.
Apparently, though, plenty of people are going ahead and following instructions, whether out of irresistible curiosity or because they trust links that originate from people they know. Sophos’ Naked Security blog today confirms that this is a malware attack, and that it seems to be spreading.
Variations on the wording include “your in this <link> LoL” and “you even see him taping you <link> that’s awful.” Those who do log in are greeted by a message telling them an update to their YouTube player is needed to view the clip. When they click “install,” Sophos reports, they download a program called “FlashPlayerV10.1.57.108.exe”—a known Trojan with the ability to copy itself onto other machines. From Naked Security:
Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't currently clear, but the attack underlines the importance of not automatically clicking on a link just because it appeared to be sent to you by a trusted friend.
This is far from the first scam to spread via social media. In July reports surfaced of Russian hackers using unsolicited Twitter messages to infect PCs with a nefarious exploit kit. And earlier this year a direct message scam told its targets, “Hey some person is saying horrible things about you.” Nor has Facebook been immune to similar attacks.
Many have pointed out that these types of social-media scams trade on the trust we have in our friends, making them more effective than your standard Nigerian email scam. Of course, your friends’ email accounts can be hacked too. But at least you can generally tell when an email from a friend is written in a voice or style that seems unlike her own.
The beauty of the Twitter direct-message hack is that Twitter’s brevity constraints sometimes force even accomplished writers to construct sentences like “lol ur famous now.” On Twitter, in short, we all write like spammers.